Refactor CORS headers handling to use precomputed variable for efficiency

Author: RossTarrant

pkg/http/handler.go

@@ -3,7 +3,7 @@ package http
 import (
 	"context"
 	"errors"
-	"fmt"
+	"strings"
 	"log/slog"
 	"net/http"
 
@@ -416,6 +416,22 @@ func PATScopeFilter(b *inventory.Builder, r *http.Request, fetcher scopes.Fetche
 	return b
 }
 
+// corsAllowHeaders is the precomputed Access-Control-Allow-Headers value.
+var corsAllowHeaders = strings.Join([]string{
+	"Content-Type",
+	"Mcp-Session-Id",
+	"Mcp-Protocol-Version",
+	"Last-Event-ID",
+	headers.AuthorizationHeader,
+	headers.MCPReadOnlyHeader,
+	headers.MCPToolsetsHeader,
+	headers.MCPToolsHeader,
+	headers.MCPExcludeToolsHeader,
+	headers.MCPFeaturesHeader,
+	headers.MCPLockdownHeader,
+	headers.MCPInsidersHeader,
+}, ", ")
+
 // SetCorsHeaders is middleware that sets CORS headers to allow browser-based
 // MCP clients to connect from any origin. This is safe because the server
 // authenticates via bearer tokens (not cookies), so cross-origin requests
@@ -426,17 +442,7 @@ func SetCorsHeaders(h http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS")
 		w.Header().Set("Access-Control-Max-Age", "86400")
 		w.Header().Set("Access-Control-Expose-Headers", "Mcp-Session-Id, WWW-Authenticate")
-		w.Header().Set("Access-Control-Allow-Headers", fmt.Sprintf(
-			"Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, %s, %s, %s, %s, %s, %s, %s, %s",
-			headers.AuthorizationHeader,
-			headers.MCPReadOnlyHeader,
-			headers.MCPToolsetsHeader,
-			headers.MCPToolsHeader,
-			headers.MCPExcludeToolsHeader,
-			headers.MCPFeaturesHeader,
-			headers.MCPLockdownHeader,
-			headers.MCPInsidersHeader,
-		))
+		w.Header().Set("Access-Control-Allow-Headers", corsAllowHeaders)
 
 		if r.Method == http.MethodOptions {
 			w.WriteHeader(http.StatusOK)