From 477bde96f423d0fbe069f8b6da0763c9d77640fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= <theodornengoy@Mac.home>
Date: Sat, 7 Feb 2026 18:25:12 +0100
Subject: [PATCH] server: restrict CORS to allowed origins by default

---
 server/src/index.ts | 43 +++++++++++++++++++++++++++++++------------
 1 file changed, 31 insertions(+), 12 deletions(-)

diff --git a/server/src/index.ts b/server/src/index.ts
index 4d1fffa29..a7f84a232 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -172,12 +172,38 @@ const updateHeadersInPlace = (
   }
 };
 
+const getAllowedOrigins = (): string[] => {
+  const clientPort = process.env.CLIENT_PORT || "6274";
+  const defaultOrigins = [
+    `http://localhost:${clientPort}`,
+    `http://127.0.0.1:${clientPort}`,
+    `http://[::1]:${clientPort}`,
+  ];
+
+  const raw = process.env.ALLOWED_ORIGINS;
+  if (!raw) return defaultOrigins;
+
+  const fromEnv = raw
+    .split(",")
+    .map((s) => s.trim())
+    .filter(Boolean);
+
+  return fromEnv.length ? fromEnv : defaultOrigins;
+};
+
+const allowedOrigins = getAllowedOrigins();
+
 const app = express();
-app.use(cors());
-app.use((req, res, next) => {
-  res.header("Access-Control-Expose-Headers", "mcp-session-id");
-  next();
-});
+app.use(
+  cors({
+    origin: (origin, cb) => {
+      // Allow non-browser clients (no Origin header).
+      if (!origin) return cb(null, true);
+      return cb(null, allowedOrigins.includes(origin));
+    },
+    exposedHeaders: ["mcp-session-id"],
+  }),
+);
 
 const webAppTransports: Map<string, Transport> = new Map<string, Transport>(); // Web app transports by web app sessionId
 const serverTransports: Map<string, Transport> = new Map<string, Transport>(); // Server Transports by web app sessionId
@@ -196,13 +222,6 @@ const originValidationMiddleware = (
 ) => {
   const origin = req.headers.origin;
 
-  // Default origins based on CLIENT_PORT or use environment variable
-  const clientPort = process.env.CLIENT_PORT || "6274";
-  const defaultOrigin = `http://localhost:${clientPort}`;
-  const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(",") || [
-    defaultOrigin,
-  ];
-
   if (origin && !allowedOrigins.includes(origin)) {
     console.error(`Invalid origin: ${origin}`);
     res.status(403).json({