Add support for missed CORS headers and update tests

Author: RossTarrant

pkg/http/handler.go

@@ -427,13 +427,15 @@ func SetCorsHeaders(h http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Max-Age", "86400")
 		w.Header().Set("Access-Control-Expose-Headers", "Mcp-Session-Id")
 		w.Header().Set("Access-Control-Allow-Headers", fmt.Sprintf(
-			"Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, %s, %s, %s, %s, %s, %s",
+			"Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, %s, %s, %s, %s, %s, %s, %s, %s",
 			headers.AuthorizationHeader,
 			headers.MCPReadOnlyHeader,
 			headers.MCPToolsetsHeader,
 			headers.MCPToolsHeader,
 			headers.MCPExcludeToolsHeader,
 			headers.MCPFeaturesHeader,
+			headers.MCPLockdownHeader,
+			headers.MCPInsidersHeader,
 		))
 
 		if r.Method == http.MethodOptions {

pkg/http/handler_test.go

@@ -680,6 +680,8 @@ func TestSetCorsHeaders(t *testing.T) {
 		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Authorization")
 		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Content-Type")
 		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Mcp-Session-Id")
+		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Lockdown")
+		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Insiders")
 		assert.Contains(t, rr.Header().Get("Access-Control-Expose-Headers"), "Mcp-Session-Id")
 	})
 
@@ -782,17 +784,6 @@ func TestCrossOriginProtection(t *testing.T) {
 			secFetchSite:       "",
 			expectedStatusCode: http.StatusOK,
 		},
-		{
-			name: "bypass allows cross-site request (same pattern RunHTTPServer applies for nil config)",
-			crossOriginProtection: func() *http.CrossOriginProtection {
-				p := http.NewCrossOriginProtection()
-				p.AddInsecureBypassPattern("/")
-				return p
-			}(),
-			secFetchSite:       "cross-site",
-			origin:             "https://example.com",
-			expectedStatusCode: http.StatusOK,
-		},
 	}
 
 	for _, tt := range tests {