You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/streamable-http.md
+31Lines changed: 31 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,6 +8,7 @@ The Streamable HTTP mode enables the GitHub MCP Server to run as an HTTP service
8
8
-**OAuth Metadata Endpoints** — Standard `.well-known/oauth-protected-resource` discovery for OAuth clients
9
9
-**Scope Challenge Support** — Automatic scope validation with proper HTTP 403 responses and `WWW-Authenticate` headers
10
10
-**Scope Filtering** — Restrict available tools based on authenticated credentials and permissions
11
+
-**CORS & Browser Client Support** — Built-in CORS middleware and configurable cross-origin protection for browser-based MCP clients
11
12
-**Custom Base Paths** — Support for reverse proxy deployments with customizable base URLs
12
13
13
14
## Running the Server
@@ -59,6 +60,36 @@ The OAuth protected resource metadata's `resource` attribute will be populated w
59
60
60
61
This allows OAuth clients to discover authentication requirements and endpoint information automatically.
61
62
63
+
## Cross-Origin & Browser Client Support
64
+
65
+
The HTTP server includes built-in CORS middleware and cross-origin request handling to support browser-based MCP clients (e.g., web apps, MCP Inspector).
66
+
67
+
### Default Behavior
68
+
69
+
`RunHTTPServer` enables browser cross-origin support out of the box by wiring in two things:
70
+
71
+
1.**CORS middleware** (`SetCorsHeaders`) — responds to preflight `OPTIONS` requests and sets `Access-Control-*` headers on all MCP endpoint responses
72
+
2.**Cross-origin protection bypass** — bypasses the SDK's `Sec-Fetch-Site` rejection so cross-origin POST requests are allowed
73
+
74
+
This is safe because the server authenticates exclusively via bearer tokens (`Authorization` header), which are not ambient credentials — a malicious cross-origin page cannot cause the browser to attach them automatically. Standard CSRF protection is therefore not required.
75
+
76
+
> **Note:** CORS headers on MCP endpoints are provided by `SetCorsHeaders` middleware. OAuth metadata discovery routes (e.g., `/.well-known/oauth-protected-resource`) handle CORS independently.
77
+
78
+
### Library / Custom Integrations
79
+
80
+
If you embed the server as a library (using `ServerConfig` directly rather than `RunHTTPServer`), neither the CORS middleware nor the cross-origin bypass is applied automatically. To support browser clients, you must:
81
+
82
+
1. Add `middleware.SetCorsHeaders` to your router
83
+
2. Set the `CrossOriginProtection` field on `ServerConfig` with an appropriate bypass pattern
84
+
85
+
The `CrossOriginProtection` options are:
86
+
87
+
-**`nil`** — `RunHTTPServer` auto-bypasses (allows all origins); library consumers get the SDK default (reject cross-origin POSTs)
88
+
-**Explicit bypass** — Create a `CrossOriginProtection` with `AddInsecureBypassPattern("/")` to allow all cross-origin requests
89
+
-**SDK default** — Use `http.NewCrossOriginProtection()` without any bypass patterns to reject cross-origin POSTs
90
+
91
+
The SDK default is appropriate when browser cross-origin clients are not required (e.g., native CLI clients only, or same-origin browser deployments where the client and server share the same origin).
0 commit comments