MCP Server Framework - v1.0.0
    Preparing search index...

    Interface HttpTransportOptions

    HTTP transport — multi-client mode without TLS.

    Use behind a reverse proxy that handles TLS termination, or for local development.

    interface HttpTransportOptions {
        corsCredentials?: boolean;
        corsOrigin?: string[];
        enableJsonResponse?: boolean;
        eventStore?: EventStore;
        helmetCsp?: string;
        helmetFrameOptions?: "DENY" | "SAMEORIGIN" | "false";
        helmetHsts?: boolean;
        host?: string;
        legacySseEnabled?: boolean;
        mode: "http";
        port?: number;
        rateLimitMax?: number;
        rateLimitWindowMs?: number;
        stateless?: boolean;
        trustProxy?: string;
    }

    Hierarchy (View Summary)

    Index

    Properties

    corsCredentials? corsOrigin? enableJsonResponse? eventStore? helmetCsp? helmetFrameOptions? helmetHsts? host? legacySseEnabled? mode port? rateLimitMax? rateLimitWindowMs? stateless? trustProxy?

    Properties

    corsCredentials?: boolean

    Allow credentials in CORS requests (cookies, auth headers).

    Only effective when corsOrigin is set. Cannot be used with corsOrigin: ['*'].

    Can also be configured via MCP_CORS_CREDENTIALS env var.

    false
    corsOrigin?: string[]

    CORS allowed origins.

    When set, CORS middleware is mounted globally and allows requests from the listed origins. When omitted, CORS is disabled.

    Use ['*'] to allow all origins (not recommended for production).

    Can also be configured via MCP_CORS_ORIGIN env var (comma-separated) or [security] cors_origin in the config file.

    ['https://app.example.com', 'https://admin.example.com']
    enableJsonResponse?: boolean

    Prefer JSON responses over SSE streams for simple request-response.

    When enabled, the SDK returns application/json for non-streaming responses (e.g. tools/list, resources/list) instead of wrapping them in a text/event-stream SSE envelope.

    The MCP specification recommends: "If the server is only sending one response with no notifications, it SHOULD prefer application/json."

    Streaming responses (progress, notifications) always use SSE regardless.

    Can also be configured via MCP_JSON_RESPONSE env var or config file.

    true (spec-compliant JSON responses)
    eventStore?: EventStore

    Event store for stream resumability.

    When provided, the SDK transport stores events and supports client reconnection via the Last-Event-ID header. Only meaningful in stateful mode — stateless requests have no persistent streams.

    The SDK provides InMemoryEventStore as a reference implementation. For production horizontal scaling, implement the EventStore interface with Redis, PostgreSQL, or another shared backend.

    import { InMemoryEventStore } from '@modelcontextprotocol/sdk/examples/shared/inMemoryEventStore.js';

    createServer({
      name: 'my-server',
      version: '1.0.0',
      transport: { mode: 'http', eventStore: new InMemoryEventStore() },
    });
    helmetCsp?: string

    Content Security Policy configuration.

    • Omit: Helmet default CSP applies
    • 'false': Disable CSP entirely
    • Custom string: CSP directives (e.g. "default-src 'self'; script-src 'none'")

    Can also be configured via MCP_HELMET_CSP env var.

    helmetFrameOptions?: "DENY" | "SAMEORIGIN" | "false"

    X-Frame-Options header value.

    • 'DENY' — Never allow framing (most secure)
    • 'SAMEORIGIN' — Allow from same origin
    • 'false' — Disable X-Frame-Options header

    Can also be configured via MCP_HELMET_FRAME_OPTIONS env var.

    'DENY'
    helmetHsts?: boolean

    Enable HTTP Strict Transport Security (HSTS) header.

    When true, Helmet sets Strict-Transport-Security with max-age=15552000 (180 days) and includeSubDomains. Only enable when serving over HTTPS.

    Can also be configured via MCP_HELMET_HSTS env var.

    false
    host?: string

    Host to bind to (default: '127.0.0.1' or MCP_BIND_HOST env)

    legacySseEnabled?: boolean

    Enable legacy SSE transport for backwards compatibility

    mode: "http"
    port?: number

    Port to listen on (default: 8000 or MCP_PORT env)

    rateLimitMax?: number

    Rate limiting: max requests per window

    rateLimitWindowMs?: number

    Rate limiting: window duration in ms

    stateless?: boolean

    Operate in stateless mode (no session IDs).

    When enabled, each request gets a fresh McpSession and SDK transport. No Mcp-Session-Id headers are set. Per MCP specification, stateless servers do not track individual client sessions.

    In stateless mode, GET and DELETE return 405 Method Not Allowed.

    Use cases:

    • Simple tool servers that don't need per-client state
    • Serverless/edge deployments where session persistence is impractical
    • Horizontal scaling behind round-robin load balancers
    false
    trustProxy?: string

    Trust proxy setting for Express.

    Required when running behind a reverse proxy (nginx, Traefik, cloud LB) to correctly resolve client IPs, protocol, and host from proxy headers (X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host).

    Values:

    • Hop count ('1', '2') — Trust N hops from the front-facing proxy
    • Express keyword ('loopback', 'linklocal', 'uniquelocal')
    • IP/CIDR ('10.0.0.1', '10.0.0.0/8')
    • DNS hostname ('proxy.example.com') — resolved at startup
    • Comma-separated list ('loopback, 10.0.0.1')

    Can also be configured via MCP_TRUST_PROXY env var or config file. Omit to disable trust proxy.

    https://expressjs.com/en/guide/behind-proxies.html

    Settings

    Member Visibility

    On This Page

    Properties