adityamparikh opened a new pull request, #121: URL: https://github.com/apache/solr-mcp/pull/121
## Summary The HTTP transport's CORS configuration used `setAllowedOriginPatterns(\"*\")` together with `allowCredentials=true`. This is Spring's escape hatch around the MDN/W3C CORS rule that wildcard origins cannot be combined with credentials, and it triggers [CWE-942](https://cwe.mitre.org/data/definitions/942.html) per the OWASP HTML5 Security Cheat Sheet. This PR switches to the strict `setAllowedOrigins(...)` API backed by a configurable allowlist (`mcp.cors.allowed-origins` / `MCP_CORS_ALLOWED_ORIGINS`) that defaults to the MCP Inspector's local proxy ports (`http://localhost:6274,http://127.0.0.1:6274`). Allowed methods are tightened to `GET, POST, DELETE, OPTIONS` and allowed headers to `Authorization, Content-Type, Mcp-Session-Id, MCP-Protocol-Version, Last-Event-ID` — the explicit set required by the MCP Streamable HTTP transport spec. Operators running the MCP server with browser-based clients or dashboards beyond the Inspector add origins via the env var. Bearer-token auth flows continue to work because `allowCredentials` is preserved. ## Test plan - [x] \`./gradlew spotlessApply\` clean - [x] \`./gradlew build\` passes (full test suite, 43s) - [ ] Manual verification with MCP Inspector at http://localhost:6274 still completes a request flow ## References - [MDN — CORS, Credentialed requests and wildcards](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#credentialed_requests_and_wildcards) - [CWE-942: Permissive Cross-domain Policy with Untrusted Domains](https://cwe.mitre.org/data/definitions/942.html) - [OWASP HTML5 Security Cheat Sheet (CORS)](https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#cross-origin-resource-sharing) 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
