- Add intelligent URL detection supporting BASE_URL, PUBLIC_URL, and proxy headers - Fix hardcoded localhost URLs in server console output - Add hostname validation to prevent host header injection attacks - Restrict URL schemes to http/https only (block javascript:, file://, etc.) - Remove sensitive environment data from API responses - Add GET endpoints (/, /mcp) for better API discovery - Fix version inconsistency between server implementations - Update HTTP bridge to use HOST/PORT environment variables - Add comprehensive test scripts for URL configuration and security This resolves issues #41 and #42 by making the HTTP server properly handle deployment behind reverse proxies and adds critical security validations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
@@ -8,7 +8,10 @@
|
||||
const http = require('http');
|
||||
const readline = require('readline');
|
||||
|
||||
const MCP_URL = process.env.MCP_URL || 'http://localhost:3000/mcp';
|
||||
// Use MCP_URL from environment or construct from HOST/PORT if available
|
||||
const defaultHost = process.env.HOST || 'localhost';
|
||||
const defaultPort = process.env.PORT || '3000';
|
||||
const MCP_URL = process.env.MCP_URL || `http://${defaultHost}:${defaultPort}/mcp`;
|
||||
const AUTH_TOKEN = process.env.AUTH_TOKEN || process.argv[2];
|
||||
|
||||
if (!AUTH_TOKEN) {
|
||||
|
||||
Reference in New Issue
Block a user