Skip to main content
SecurityConfig locks down an MCP SSE server with localhost-only binding, bearer-token authentication, and Origin validation.

Quick Start

1

Bind to localhost only

SecurityConfig defaults to bind_localhost_only=True. Pass its recommended bind address to run_sse.
2

Require a bearer token

Set require_auth=True and provide the token via MCP_SSE_AUTH_TOKEN. Requests without a matching Authorization: Bearer … header get a 401.

How It Works

run_sse wraps the Starlette app with security middleware when a SecurityConfig requires auth or origin validation.
StepBehavior
Bind addressget_bind_address() returns 127.0.0.1 when bind_localhost_only=True, else 0.0.0.0
Token checkWhen require_auth=True, a Bearer token matching MCP_SSE_AUTH_TOKEN (or MCP_AUTH_TOKEN) is required, else 401
Origin checkWhen validate_origin=True, the Origin header must be in allowed_origins, else 403
No configWhen security=None, run_sse reads MCP_SSE_* env vars; middleware is skipped if neither auth nor origin validation is active

Configuration Options

Extracted from SecurityConfig in praisonaiagents/mcp/mcp_security.py.
OptionTypeDefaultDescription
validate_originboolTrueValidate the Origin header on each request
allow_missing_originboolFalseAllow requests with no Origin header
allowed_originsList[str]["localhost", "127.0.0.1"]Hosts permitted in the Origin header
require_authboolFalseRequire a bearer token on every request
bind_localhost_onlyboolTrueRecommend binding to 127.0.0.1 via get_bind_address()
Token and origin overrides can also come from the environment:
VariablePurpose
MCP_SSE_AUTH_TOKEN / MCP_AUTH_TOKENExpected bearer token when require_auth=True
MCP_SSE_ALLOWED_ORIGINSComma-separated allowed origins

Common Patterns

Choose a hardening level based on where the server runs. Localhost-only, no token — trusted single-machine use:
Token plus restricted origins — a shared or networked server:

Best Practices

Leave bind_localhost_only=True (the default) for any server that only serves the local machine — it keeps 127.0.0.1 off the network.
Set require_auth=True and provide MCP_SSE_AUTH_TOKEN whenever the server is reachable beyond localhost.
Narrow allowed_origins to the exact hosts that should call the server instead of leaving the defaults when exposing it more widely.
Read the token from MCP_SSE_AUTH_TOKEN rather than hard-coding it, so secrets stay out of source.

MCP

Connect agents to MCP tool servers

Permission Modes

Control how agents handle tool approval