ExMCP.Plugs.DnsRebinding (ex_mcp v0.9.0)

View Source

Plug for DNS rebinding protection.

Validates that the Host header is a localhost address, rejecting requests from non-localhost origins. This prevents DNS rebinding attacks where a malicious website redirects to localhost to access local MCP servers.

Usage

plug ExMCP.Plugs.DnsRebinding

Or with custom allowed hosts:

plug ExMCP.Plugs.DnsRebinding, allowed_hosts: ["localhost", "myhost.local"]