Fix: Disable DNS rebinding protection by default to prevent 421 errors with remote access

- Add TransportSecuritySettings to all MCP servers
- Disable protection by default (works with Tailscale/dynamic IPs)
- Optional env vars to enable with custom allowed hosts

mcp/gameservers.py

@@ -1,11 +1,27 @@
 from mcp.server.fastmcp import FastMCP
+from mcp.server.transport_security import TransportSecuritySettings
 import os
 import json
 from pathlib import Path
 from typing import Optional
 import subprocess
 
-mcp = FastMCP("gameservers")
+# Configure transport security to avoid 421 errors (DNS rebinding protection)
+enable_protection = os.getenv("MCP_ENABLE_DNS_PROTECTION", "false").lower() == "true"
+if enable_protection:
+    allowed_hosts = os.getenv("MCP_ALLOWED_HOSTS", "localhost:*,127.0.0.1:*,0.0.0.0:*").split(",")
+    allowed_origins = os.getenv("MCP_ALLOWED_ORIGINS", "http://localhost:*,http://127.0.0.1:*,http://0.0.0.0:*").split(",")
+    transport_security = TransportSecuritySettings(
+        enable_dns_rebinding_protection=True,
+        allowed_hosts=allowed_hosts,
+        allowed_origins=allowed_origins,
+    )
+else:
+    transport_security = TransportSecuritySettings(
+        enable_dns_rebinding_protection=False,
+    )
+
+mcp = FastMCP("gameservers", transport_security=transport_security)
 
 GAME_SERVERS_DIR = Path(os.getenv("GAME_SERVERS_DIR", "/opt/game-servers"))
 

mcp/homelab.py

@@ -1,11 +1,27 @@
 from mcp.server.fastmcp import FastMCP
+from mcp.server.transport_security import TransportSecuritySettings
 import docker
 import psutil
 import subprocess
 import os
 from typing import Optional
 
-mcp = FastMCP("homelab")
+# Configure transport security to avoid 421 errors (DNS rebinding protection)
+enable_protection = os.getenv("MCP_ENABLE_DNS_PROTECTION", "false").lower() == "true"
+if enable_protection:
+    allowed_hosts = os.getenv("MCP_ALLOWED_HOSTS", "localhost:*,127.0.0.1:*,0.0.0.0:*").split(",")
+    allowed_origins = os.getenv("MCP_ALLOWED_ORIGINS", "http://localhost:*,http://127.0.0.1:*,http://0.0.0.0:*").split(",")
+    transport_security = TransportSecuritySettings(
+        enable_dns_rebinding_protection=True,
+        allowed_hosts=allowed_hosts,
+        allowed_origins=allowed_origins,
+    )
+else:
+    transport_security = TransportSecuritySettings(
+        enable_dns_rebinding_protection=False,
+    )
+
+mcp = FastMCP("homelab", transport_security=transport_security)
 
 DOCKER_CLIENT = docker.from_env()
 

mcp/skills.py

@@ -1,4 +1,5 @@
 from mcp.server.fastmcp import FastMCP
+from mcp.server.transport_security import TransportSecuritySettings
 import httpx
 import os
 import uvicorn
@@ -19,7 +20,23 @@ Project conventions are scoped to a project identifier (recommended: git remote
 
 Always pass the same project identifier consistently across sessions."""
 
-mcp = FastMCP("skills", instructions=MCP_INSTRUCTIONS)
+# Configure transport security to avoid 421 errors (DNS rebinding protection)
+# Set MCP_ENABLE_DNS_PROTECTION=true to enable with custom hosts
+enable_protection = os.getenv("MCP_ENABLE_DNS_PROTECTION", "false").lower() == "true"
+if enable_protection:
+    allowed_hosts = os.getenv("MCP_ALLOWED_HOSTS", "localhost:*,127.0.0.1:*,0.0.0.0:*").split(",")
+    allowed_origins = os.getenv("MCP_ALLOWED_ORIGINS", "http://localhost:*,http://127.0.0.1:*,http://0.0.0.0:*").split(",")
+    transport_security = TransportSecuritySettings(
+        enable_dns_rebinding_protection=True,
+        allowed_hosts=allowed_hosts,
+        allowed_origins=allowed_origins,
+    )
+else:
+    transport_security = TransportSecuritySettings(
+        enable_dns_rebinding_protection=False,
+    )
+
+mcp = FastMCP("skills", instructions=MCP_INSTRUCTIONS, transport_security=transport_security)
 
 SKILLS_API_URL = os.getenv("SKILLS_API_URL", "http://helm:8675")