Security hardening: MCP server auth + client URL validation#403
Draft
Security hardening: MCP server auth + client URL validation#403
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses security scan findings #14 (MCP server mounted without auth) and #15 (MCP client accepts arbitrary URLs). Python half of a 3-SDK PR set (TS + C# are separate PRs on the same branch name).
#14 — MCP server auth
New opt-in
require_authparameter onMcpServerPlugin:```python
McpServerPlugin(
name="my-mcp",
require_auth=lambda req: req.headers.get("authorization") == "Bearer ...",
)
```
Hook accepts sync or async
(Request) -> bool.False/raise → 401 via a thin ASGI middleware wrapping the mounted FastMCP app; lifespan events pass through untouched. When unset, all requests are accepted and a one-time startup warning fires when the server mounts.#15 — MCP client SSRF
New
url_validation.pygate, wired into_fetch_tools_from_serverand_call_mcp_toolbefore transport creation. Two new fields onMcpClientPluginParams:allow_private_network: bool = False— block RFC1918, loopback, link-local, IPv6 unique-localvalidate_url: Optional[Callable[[str], Union[bool, Awaitable[bool]]]]— when set, fully replaces the default scheme + host-network checksDefault policy: scheme ∈ {
http,https}; if notallow_private_network, resolve host vialoop.getaddrinfoand reject private addresses. IP literals short-circuit DNS. Uses Python'sipaddressstdlib for classification.Behavior change to be aware of
MCP client calls that previously pointed at localhost / on-prem MCP servers will now fail with
UrlValidationErrorunlessallow_private_network=Trueis set on the call's params. Set the flag for intentional on-prem deployments.Design docs
design/mcp-server-auth-options.mddesign/mcp-client-ssrf-options.mdE2E verified
/mcpreturns 401 without auth, 400 (FastMCP "Missing session ID") on correct bearer (past middleware)POST /api/messagesrouted to the handler (skip_auth toggle used for the synthetic request); middleware did not interceptrequire_authis unset; silent when setNote on DNS rebinding
Default private-network filter rejects at registration time but does not prevent DNS rebinding. Known residual risk; call out if follow-up work is wanted.