Use HTTP 421 for invalid Host headers in DNS rebinding protection

ddworken · ddworken · commit 64ddbe21f74e · 2025-06-13T14:37:52.000-07:00
diff --git a/src/mcp/server/transport_security.py b/src/mcp/server/transport_security.py
@@ -117,7 +117,7 @@ async def validate_request(self, request: Request, is_post: bool = False) -> Res
         # Validate Host header
         host = request.headers.get("host")
         if not self._validate_host(host):
-            return Response("Invalid Host header", status_code=400)
+            return Response("Invalid Host header", status_code=421)
 
         # Validate Origin header
         origin = request.headers.get("origin")
diff --git a/tests/server/test_sse_security.py b/tests/server/test_sse_security.py
@@ -104,7 +104,7 @@ async def test_sse_security_invalid_host_header(server_port: int):
 
         async with httpx.AsyncClient() as client:
             response = await client.get(f"http://127.0.0.1:{server_port}/sse", headers=headers)
-            assert response.status_code == 400
+            assert response.status_code == 421
             assert response.text == "Invalid Host header"
 
     finally:
@@ -214,7 +214,7 @@ async def test_sse_security_custom_allowed_hosts(server_port: int):
 
         async with httpx.AsyncClient() as client:
             response = await client.get(f"http://127.0.0.1:{server_port}/sse", headers=headers)
-            assert response.status_code == 400
+            assert response.status_code == 421
             assert response.text == "Invalid Host header"
 
     finally:
diff --git a/tests/server/test_streamable_http_security.py b/tests/server/test_streamable_http_security.py
@@ -127,7 +127,7 @@ async def test_streamable_http_security_invalid_host_header(server_port: int):
                 json={"jsonrpc": "2.0", "method": "initialize", "id": 1, "params": {}},
                 headers=headers,
             )
-            assert response.status_code == 400
+            assert response.status_code == 421
             assert response.text == "Invalid Host header"
 
     finally:
@@ -270,7 +270,7 @@ async def test_streamable_http_security_get_request(server_port: int):
 
         async with httpx.AsyncClient(timeout=5.0) as client:
             response = await client.get(f"http://127.0.0.1:{server_port}/", headers=headers)
-            assert response.status_code == 400
+            assert response.status_code == 421
             assert response.text == "Invalid Host header"
 
         # Test GET request with valid host header
