DnsRebindingProtectionMiddleware implements MiddlewareInterface
FinalYes
Protects local MCP servers against DNS rebinding attacks.
When the request carries an Origin header it is validated against the
allowlist; otherwise the Host header is validated. Both checks are
case-insensitive and ignore port. Default allowlist contains localhost
variants only — for non-local deployments either pass a tailored list of
hostnames or omit this middleware entirely (e.g. when fronted by a reverse
proxy that enforces Host validation).
Tags
Table of Contents
Interfaces
- MiddlewareInterface
Properties
- $allowedHosts : array<int, string>
- $responseFactory : ResponseFactoryInterface
- $streamFactory : StreamFactoryInterface
Methods
- __construct() : mixed
- process() : ResponseInterface
- createForbiddenResponse() : ResponseInterface
- isAllowedHost() : bool
- isAllowedOrigin() : bool
Properties
$allowedHosts read-only
private
array<int, string>
$allowedHosts
$responseFactory
private
ResponseFactoryInterface
$responseFactory
$streamFactory
private
StreamFactoryInterface
$streamFactory
Methods
__construct()
public
__construct([array<int, string> $allowedHosts = ['localhost', '127.0.0.1', '[::1]'] ][, ResponseFactoryInterface|null $responseFactory = null ][, StreamFactoryInterface|null $streamFactory = null ]) : mixed
Parameters
- $allowedHosts : array<int, string> = ['localhost', '127.0.0.1', '[::1]']
-
Hostnames (without port) that are permitted. Defaults to localhost variants. IPv6 addresses must be bracketed (e.g.
[::1]) — that is the canonical form returned byparse_url. - $responseFactory : ResponseFactoryInterface|null = null
-
PSR-17 response factory (auto-discovered if null)
- $streamFactory : StreamFactoryInterface|null = null
-
PSR-17 stream factory (auto-discovered if null)
process()
public
process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
Parameters
- $request : ServerRequestInterface
- $handler : RequestHandlerInterface
Return values
ResponseInterfacecreateForbiddenResponse()
private
createForbiddenResponse(string $message) : ResponseInterface
Parameters
- $message : string
Return values
ResponseInterfaceisAllowedHost()
private
isAllowedHost(string $host) : bool
Parameters
- $host : string
Return values
boolisAllowedOrigin()
private
isAllowedOrigin(string $origin) : bool
Parameters
- $origin : string