MCP Transport & DNS-Rebinding Security Auditor

A local MCP server bound to the wrong interface, or one that doesn't validate the Origin header, is one DNS-rebinding attack away from being driven by a malicious web page. This auditor checks your Streamable HTTP transport for the spec-mandated Origin/Host validation, loopback binding, and the token-passthrough prohibition — the vuln classes behind real CVEs in rmcp and mcp-toolbox.

⚠ Reference rules track the current MCP spec. This auditor reasons over your self-reported configuration — it does not probe a live server. Re-verify against modelcontextprotocol.io and your SDK’s advisories.

Streamable HTTP DNS Rebinding Zero PII Client-Side · No Network

Scope & reliance — 🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only. Configuration/policy reasoning only — no live probe. Deterministic · zero PII · CC BY 4.0.

▸ Transport configuration

Enter your bind address and the Origins you accept, then answer the checklist. Defaults model a correctly-hardened local server.

Bind address (host:port the server listens on) Allowed Origins (comma-separated, or * for allow-all)