safedep
diff --git a/‎cmd/server/mcp.go‎
Lines changed: 32 additions & 1 deletion b/‎cmd/server/mcp.go‎
Lines changed: 32 additions & 1 deletion
diff --git a/‎docs/mcp.md‎
Lines changed: 56 additions & 2 deletions b/‎docs/mcp.md‎
Lines changed: 56 additions & 2 deletions
diff --git a/‎go.mod‎
Lines changed: 0 additions & 1 deletion b/‎go.mod‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 0 additions & 12 deletions b/‎go.sum‎
Lines changed: 0 additions & 12 deletions
diff --git a/‎mcp/server/guard.go‎
Lines changed: 56 additions & 0 deletions b/‎mcp/server/guard.go‎
Lines changed: 56 additions & 0 deletions
@@ -22,6 +22,8 @@ var (
 	registerVetSQLQueryTool     bool
 	vetSQLQueryToolDBPath       string
 	registerPackageRegistryTool bool
+	sseServerAllowedOrigins     []string
+	sseServerAllowedHosts       []string
 )
 
 func newMcpServerCommand() *cobra.Command {
@@ -42,6 +44,19 @@ func newMcpServerCommand() *cobra.Command {
 	cmd.Flags().StringVar(&mcpServerSseServerAddr, "sse-server-addr", "localhost:9988", "The address to listen for SSE connections")
 	cmd.Flags().StringVar(&mcpServerServerType, "server-type", "stdio", "The type of server to start (stdio, sse)")
 
+	cmd.Flags().StringSliceVar(
+		&sseServerAllowedOrigins,
+		"sse-allowed-origins",
+		nil,
+		"List of allowed origin prefixes for SSE connections. By default, we allow http://localhost:, http://127.0.0.1: and https://localhost:.",
+	)
+	cmd.Flags().StringSliceVar(
+		&sseServerAllowedHosts,
+		"sse-allowed-hosts",
+		nil,
+		"List of allowed hosts for SSE connections. By default, we allow localhost:9988, 127.0.0.1:9988 and [::1]:9988.",
+	)
+
 	// We allow skipping default tools to allow for custom tools to be registered when the server starts.
 	// This is useful for agents to avoid unnecessary tool registration.
 	cmd.Flags().BoolVar(&skipDefaultTools, "skip-default-tools", false, "Skip registering default tools")
@@ -75,7 +90,23 @@ func startMcpServer() error {
 	case "stdio":
 		mcpSrv, err = server.NewMcpServerWithStdioTransport(server.DefaultMcpServerConfig())
 	case "sse":
-		mcpSrv, err = server.NewMcpServerWithSseTransport(server.DefaultMcpServerConfig())
+		config := server.DefaultMcpServerConfig()
+
+		// Override with user supplied config
+		config.SseServerAddr = mcpServerSseServerAddr
+
+		// override origins and hosts defaults only if user explicitly set them.
+		// When explicitly passed as cmd line args, cobra parses
+		// --sse-allowed-hosts='' as empty slice. Otherwise if not provided,
+		// sse-allowed-hosts will be nil.
+		if sseServerAllowedOrigins != nil {
+			config.SseServerAllowedOriginsPrefix = sseServerAllowedOrigins
+		}
+		if sseServerAllowedHosts != nil {
+			config.SseServerAllowedHosts = sseServerAllowedHosts
+		}
+
+		mcpSrv, err = server.NewMcpServerWithSseTransport(config)
 	default:
 		return fmt.Errorf("invalid server type: %s", mcpServerServerType)
 	}
 
@@ -42,6 +42,61 @@ The SSE (Server-Sent Events) transport supports:
 
 The SSE endpoint returns appropriate headers for HEAD requests without a body, allowing tools to verify endpoint availability and capabilities.
 
+### Security: Host and Origin Guards
+
+For SSE, the server enforces simple, user-configurable guards to reduce the risk
+of unauthorized cross-origin access and DNS rebinding attacks.
+
+- **Host guard**: Only allows connections whose `Host` header matches an allowed
+  host list.
+- **Origin guard**: For browser requests, only allows requests whose `Origin`
+  starts with an allowed prefix.
+
+These checks are on by default with sensible localhost defaults, and you can
+customize them with flags when starting the server.
+
+#### Defaults
+
+- **Allowed hosts**: `localhost:9988`, `127.0.0.1:9988`, `[::1]:9988`
+- **Allowed origin prefixes**: `http://localhost:`, `http://127.0.0.1:`, `https://localhost:`
+
+Requests that fail the host check are rejected with status `403`, and requests
+that fail the origin check are rejected with status `403`.
+
+#### Customize allowed hosts and origins
+
+You can override the defaults using the following flags:
+
+```bash
+vet server mcp \
+  --server-type sse \
+  --sse-allowed-hosts "localhost:8080,127.0.0.1:8080" \
+  --sse-allowed-origins "http://localhost:,https://localhost:"
+```
+
+If you are running behind a proxy or using a different port, set both lists to
+match your environment. For example, when exposing SSE on port 3001:
+
+```bash
+vet server mcp \
+  --server-type sse \
+  --sse-allowed-hosts "localhost:3001,127.0.0.1:3001" \
+  --sse-allowed-origins "http://localhost:,http://127.0.0.1:,https://localhost:"
+```
+
+With Docker, append the same flags to the container command:
+
+```bash
+docker run --rm -i ghcr.io/safedep/vet:latest \
+  server mcp \
+  --server-type sse \
+  --sse-allowed-hosts "localhost:9988,127.0.0.1:9988" \
+  --sse-allowed-origins "http://localhost:,http://127.0.0.1:,https://localhost:"
+```
+
+Tip: Non-browser clients may omit the `Origin` header. Those requests are
+allowed as long as the host guard passes.
+
 ## Configure MCP Client
 
 > **Note:** The example below uses pre-build docker image. You can build your own by running
@@ -146,7 +201,7 @@ Add `vet-mcp` server to `.vscode/mcp.json` (project specific configuration)
 }
 ```
 
-In order to use `vet-mcp` for all projects in Visual Studio Code, add following `mcp` setting in [Visual Studio Code User Settings](https://code.visualstudio.com/docs/copilot/chat/mcp-servers#_add-an-mcp-server-to-your-user-settings) (`settings.json`) 
+In order to use `vet-mcp` for all projects in Visual Studio Code, add following `mcp` setting in [Visual Studio Code User Settings](https://code.visualstudio.com/docs/copilot/chat/mcp-servers#_add-an-mcp-server-to-your-user-settings) (`settings.json`)
 
 ```json
 {
@@ -170,7 +225,6 @@ In order to use `vet-mcp` for all projects in Visual Studio Code, add following
 }
 ```
 
-
 Add the following to `.github/copilot-instructions.md` file:
 
 ```
 
@@ -69,7 +69,6 @@ require (
 	4d63.com/gochecknoglobals v0.2.2 // indirect
 	ariga.io/atlas v0.34.0 // indirect
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.8-20240508200655-46a4cf4ba109.1 // indirect
-	buf.build/gen/go/safedep/api/connectrpc/go v1.18.1-20250822112533-a008e1948f1d.1 // indirect
 	cel.dev/expr v0.24.0 // indirect
 	cloud.google.com/go v0.121.2 // indirect
 	cloud.google.com/go/auth v0.16.1 // indirect
 
@@ -4,20 +4,10 @@
 4d63.com/gochecknoglobals v0.2.2/go.mod h1:lLxwTQjL5eIesRbvnzIP3jZtG140FnTdz+AlMa+ogt0=
 ariga.io/atlas v0.34.0 h1:4hdy+2x+xNs6Lx2anuJ/4Q7lCaqddbEj5CtRDVOBu0M=
 ariga.io/atlas v0.34.0/go.mod h1:WJesu2UCpGQvgUh3oVP94EiRT61nNy1W/VN5g+vqP1I=
-buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1 h1:YhMSc48s25kr7kv31Z8vf7sPUIq5YJva9z1mn/hAt0M=
-buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1/go.mod h1:avRlCjnFzl98VPaeCtJ24RrV/wwHFzB8sWXhj26+n/U=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.8-20240508200655-46a4cf4ba109.1 h1:7JbSS7TE2PJR4d/qRtynipwLl/CBFoTB69pX7xlhcJM=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.8-20240508200655-46a4cf4ba109.1/go.mod h1:8EQ5GzyGJQ5tEIwMSxCl8RKJYsjCpAwkdcENoioXT6g=
-buf.build/gen/go/safedep/api/connectrpc/go v1.18.1-20250822112533-a008e1948f1d.1 h1:l2Fuy7PMz0wR8sQVQlhMnm6fxr6ZLdWeAR7NzZ5w2jI=
-buf.build/gen/go/safedep/api/connectrpc/go v1.18.1-20250822112533-a008e1948f1d.1/go.mod h1:W2eqH9M5zldL2cDL9xqE/HsWe2FoWw+Bwzaul95RQko=
-buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250610075857-7cfdb61a0bfa.2 h1:ENbt9SmU2gh4YhjcFqzceJRlg80hsD28M+Oon9l752A=
-buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250610075857-7cfdb61a0bfa.2/go.mod h1:WDOWZglnweQ4njVEJpLYYpLMx9fD+e94KbKdt8oJrxY=
 buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250819072717-b69aa2c62a0d.2 h1:A4enKVmVf69uVSG88POR59z5YE6dhATNLpL8+DmZtsg=
 buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250819072717-b69aa2c62a0d.2/go.mod h1:Raps9oq+lWS0tdif5yUy8MS6UGc2pr6NMSrv3Jz4avM=
-buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.6-20250705071048-7ad8e6be7c05.1 h1:4sM5O5dx0yUucJ1trjZ8Cm9IGX2loEc4cUyh3Xy+5eU=
-buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.6-20250705071048-7ad8e6be7c05.1/go.mod h1:uR95GqsnNCRn6cTyRBte6uMJMm0rEBRxTGpakKCNL9I=
-buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.8-20250819072717-b69aa2c62a0d.1 h1:fRdyfm5aiolcZmJuWPzbbI4cSYJlssvBZXi/BQUfMWc=
-buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.8-20250819072717-b69aa2c62a0d.1/go.mod h1:Q5oZou54kSUyZHl4RSPY93qr3b1ssj3ZvdBAhRAdlJA=
 buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.8-20250822112533-a008e1948f1d.1 h1:XqV9omaTxxXaI9VvS87PX4Uw6h927UycRR7SfwENSHU=
 buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.8-20250822112533-a008e1948f1d.1/go.mod h1:Q5oZou54kSUyZHl4RSPY93qr3b1ssj3ZvdBAhRAdlJA=
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
@@ -2066,8 +2056,6 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 
@@ -0,0 +1,56 @@
+package server
+
+import (
+	"net/http"
+	"slices"
+	"strings"
+)
+
+// hostGuard is a middleware that allows only the allowed hosts to access the
+// MCP server. nil config.SseServerAllowedHosts will use the default allowed hosts. Empty
+// config.SseServerAllowedHosts will block all hosts.
+func hostGuard(config McpServerConfig, next http.Handler) http.Handler {
+	allowedHosts := config.SseServerAllowedHosts
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// contains is faster than a map lookup for small lists
+		if !slices.Contains(allowedHosts, r.Host) {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+// originGuard is a middleware that allows only the allowed origins to access
+// the MCP server. If allowedOriginsPrefix is nil or empty, all origins will be blocked.
+func originGuard(config McpServerConfig, next http.Handler) http.Handler {
+	allowedOriginsPrefix := config.SseServerAllowedOriginsPrefix
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		o := r.Header.Get("Origin")
+		if o == "" {
+			// Non-browser/same-origin fetches may omit Origin. Don't block
+			// solely on this.
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		if !isAllowedOrigin(o, allowedOriginsPrefix) {
+			http.Error(w, "forbidden origin", http.StatusForbidden)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+// isAllowedOrigin checks if the origin is in the allowed origins prefix list.
+func isAllowedOrigin(origin string, allowedOriginsPrefix []string) bool {
+	for _, allowedOriginPrefix := range allowedOriginsPrefix {
+		if strings.HasPrefix(origin, allowedOriginPrefix) {
+			return true
+		}
+	}
+	return false
+}