MCP Server Framework - v1.1.2
    Preparing search index...

    Interface HttpsTransportOptions

    HTTPS transport — multi-client mode with TLS.

    Requires TLS certificate configuration. Use for direct TLS termination without a reverse proxy.

    interface HttpsTransportOptions {
        corsCredentials?: boolean;
        corsOrigin?: string[];
        enableJsonResponse?: boolean;
        eventStore?: EventStore;
        helmetCsp?: string;
        helmetFrameOptions?: "DENY" | "SAMEORIGIN";
        helmetHsts?: boolean;
        host?: string;
        legacySseEnabled?: boolean;
        mode: "https";
        port?: number;
        rateLimitMax?: number;
        rateLimitWindowMs?: number;
        stateless?: boolean;
        tls: TlsConfig;
        trustProxy?: string;
    }

    Hierarchy (View Summary)

    Index

    Properties

    corsCredentials?: boolean

    Allow credentials in CORS requests (cookies, auth headers).

    Only effective when corsOrigin is set. Cannot be used with corsOrigin: ['*'].

    Can also be configured via MCP_CORS_CREDENTIALS env var.

    false
    
    corsOrigin?: string[]

    CORS allowed origins.

    When set, CORS middleware is mounted globally and allows requests from the listed origins. When omitted, CORS is disabled.

    Use ['*'] to allow all origins (not recommended for production).

    Can also be configured via MCP_CORS_ORIGIN env var (comma-separated) or [security] cors_origin in the config file.

    ['https://app.example.com', 'https://admin.example.com']
    
    enableJsonResponse?: boolean

    Prefer JSON responses over SSE streams for simple request-response.

    When enabled, the SDK returns application/json for non-streaming responses (e.g. tools/list, resources/list) instead of wrapping them in a text/event-stream SSE envelope.

    Warning: JSON mode silently drops all in-flight notifications (progress, logging) because the SDK response stream has no SSE controller. Only the final tool result reaches the client. Enable only if your server never sends progress or log notifications.

    Can also be configured via MCP_JSON_RESPONSE env var or config file.

    false (SSE streamingsupports progress and notifications)
    
    eventStore?: EventStore

    Event store for stream resumability.

    When provided, the SDK transport stores events and supports client reconnection via the Last-Event-ID header. Only meaningful in stateful mode — stateless requests have no persistent streams.

    The SDK provides InMemoryEventStore as a reference implementation. For production horizontal scaling, implement the EventStore interface with Redis, PostgreSQL, or another shared backend.

    import { InMemoryEventStore } from '@modelcontextprotocol/sdk/examples/shared/inMemoryEventStore.js';

    createServer({
    name: 'my-server',
    version: '1.0.0',
    transport: { mode: 'http', eventStore: new InMemoryEventStore() },
    });
    helmetCsp?: string

    Content Security Policy configuration.

    • Omit: Helmet default CSP applies
    • 'false': Disable CSP entirely
    • Custom string: CSP directives (e.g. "default-src 'self'; script-src 'none'")

    Can also be configured via MCP_HELMET_CSP env var.

    helmetFrameOptions?: "DENY" | "SAMEORIGIN"

    X-Frame-Options header value.

    • 'DENY' — Never allow framing (most secure)
    • 'SAMEORIGIN' — Allow from same origin

    To allow framing from specific origins, use CSP frame-ancestors via helmetCsp instead.

    Can also be configured via MCP_HELMET_FRAME_OPTIONS env var.

    'DENY'
    
    helmetHsts?: boolean

    Enable HTTP Strict Transport Security (HSTS) header.

    When true, Helmet sets Strict-Transport-Security with max-age=15552000 (180 days) and includeSubDomains. Only enable when serving over HTTPS.

    Can also be configured via MCP_HELMET_HSTS env var.

    false
    
    host?: string

    Host to bind to (default: '127.0.0.1' or MCP_BIND_HOST env)

    legacySseEnabled?: boolean

    Enable legacy SSE transport for backwards compatibility

    mode: "https"
    port?: number

    Port to listen on (default: 8000 or MCP_PORT env)

    rateLimitMax?: number

    Rate limiting: max requests per window

    rateLimitWindowMs?: number

    Rate limiting: window duration in ms

    stateless?: boolean

    Operate in stateless mode (no session IDs).

    When enabled, each request gets a fresh McpSession and SDK transport. No Mcp-Session-Id headers are set. Per MCP specification, stateless servers do not track individual client sessions.

    In stateless mode, GET and DELETE return 405 Method Not Allowed.

    Use cases:

    • Simple tool servers that don't need per-client state
    • Serverless/edge deployments where session persistence is impractical
    • Horizontal scaling behind round-robin load balancers
    false
    

    TLS configuration (required for HTTPS mode).

    Can also be configured via environment variables:

    • MCP_TLS_CERT_PATH
    • MCP_TLS_KEY_PATH
    • MCP_TLS_CA_PATH (optional)
    trustProxy?: string

    Trust proxy setting for Express.

    Required when running behind a reverse proxy (nginx, Traefik, cloud LB) to correctly resolve client IPs, protocol, and host from proxy headers (X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host).

    Values:

    • Hop count ('1', '2') — Trust N hops from the front-facing proxy
    • Express keyword ('loopback', 'linklocal', 'uniquelocal')
    • IP/CIDR ('10.0.0.1', '10.0.0.0/8')
    • DNS hostname ('proxy.example.com') — resolved at startup
    • Comma-separated list ('loopback, 10.0.0.1')

    Can also be configured via MCP_TRUST_PROXY env var or config file. Omit to disable trust proxy.