Description
The ToolHive MCP HTTP proxy (/mcp) lacks CORS support, blocking web-based clients (e.g., MCP Inspector). The server returns 405 Method Not Allowed on OPTIONS preflight and misses Access-Control-Allow-Origin.
Steps to Reproduce
- Add an MCP to thv.
- Configure a client, e.g. OpenCode.
- Get the proxy MCP URL from the client config, e.g.
http://localhost:43969/mcp and paste it in MCP inspector.
- Attempt to connect.
- Connection fails due to 405 error and CORS.
Request URL http://localhost:43969/mcp
Request Method OPTIONS
Status Code 405 Method Not Allowed
Remote Address 127.0.0.1:43969
Referrer Policy strict-origin-when-cross-origin
GET http://localhost:43969/mcp net::ERR_FAILED
Access to fetch at 'http://localhost:43969/mcp' from origin 'http://localhost:6274' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Expected Behavior
OPTIONS handles preflight with 200/204.- Proper
Access-Control-Allow-* headers present on the /mcp route.
Actual Behavior
OPTIONS request: 405 Method Not Allowed.- Console error:
net::ERR_FAILED (missing Access-Control-Allow-Origin).
Environment
- OS: macOS M4.
- ToolHive: Version 0.24.0 (0.24.0)
Description
The ToolHive MCP HTTP proxy (
/mcp) lacks CORS support, blocking web-based clients (e.g., MCP Inspector). The server returns405 Method Not AllowedonOPTIONSpreflight and missesAccess-Control-Allow-Origin.Steps to Reproduce
http://localhost:43969/mcpand paste it in MCP inspector.Expected Behavior
OPTIONShandles preflight with200/204.Access-Control-Allow-*headers present on the/mcproute.Actual Behavior
OPTIONSrequest:405 Method Not Allowed.net::ERR_FAILED(missingAccess-Control-Allow-Origin).Environment