Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.agentfront.dev/llms.txt

Use this file to discover all available pages before exploring further.

FrontMCP provides transport-level security controls for CORS, network binding, DNS rebinding protection, and host header validation. In development, defaults are permissive for ease of use. In production, FrontMCP logs security warnings and offers a strict mode that enables all protections at once.

Quick Start

Enable strict security mode for production: 
@FrontMcp({
  http: {
    port: 3000,
    cors: {
      origin: ['https://app.example.com'],
      credentials: false,
    },
    security: {
      strict: true,
      dnsRebindingProtection: {
        enabled: true,
        allowedHosts: ['api.example.com', 'api.example.com:3000'],
        allowedOrigins: ['https://app.example.com'],
      },
    },
  },
})

Security Options

FieldTypeDefaultDescription
security.strictbooleanfalseEnable all security features at once
security.bindAddress'loopback' | 'all' | string'0.0.0.0'Network bind address
security.dnsRebindingProtection.enabledbooleanfalseValidate Host and Origin headers
security.dnsRebindingProtection.allowedHostsstring[]---Allowed Host header values
security.dnsRebindingProtection.allowedOriginsstring[]---Allowed Origin header values

CORS Configuration

By default, FrontMCP uses permissive CORS (origin: true) for development convenience. In production, you should restrict origins explicitly: 
@FrontMcp({
  http: {
    cors: {
      origin: ['https://app.example.com', 'https://admin.example.com'],
      credentials: false,
      maxAge: 600,
    },
  },
})
To disable CORS entirely (same-origin only): 
@FrontMcp({
  http: {
    cors: false,
  },
})
origin: true reflects the request origin header, effectively allowing any website to make cross-origin requests. This is safe for local development but should never be used in production.

Bind Address

Controls which network interface the server listens on:
ValueBinds ToUse Case
'loopback'127.0.0.1Local-only access (development, reverse proxy)
'all'0.0.0.0All interfaces (distributed pods, direct access)
IP stringSpecific IPCustom network binding

Strict Mode Behavior

When security.strict: true:
  • Standalone mode: binds to 127.0.0.1 (loopback only)
  • Distributed mode: binds to 0.0.0.0 (pods need external access)

Explicit Override

security: {
  bindAddress: 'loopback', // Always 127.0.0.1, regardless of deployment mode
}
When running behind a reverse proxy (NGINX, Traefik, Envoy), bind to loopback and let the proxy handle external traffic.

DNS Rebinding Protection

Validates the HTTP Host and Origin headers against an allowlist. When a request arrives with an unrecognized host, the server responds with 403 Forbidden. 
security: {
  dnsRebindingProtection: {
    enabled: true,
    allowedHosts: ['localhost:3000', 'api.example.com'],
    allowedOrigins: ['https://app.example.com'],
  },
}
  • allowedHosts: Matches the Host header exactly (include port if non-standard)
  • allowedOrigins: Matches the Origin header exactly (include scheme)
  • If allowedOrigins is set, requests without an Origin header are allowed through (non-browser clients)
DNS rebinding attacks use a malicious domain that resolves to 127.0.0.1, tricking a browser into making requests to your local server. Host validation blocks these requests.

Security Audit Warnings

In production (NODE_ENV=production) or distributed mode, FrontMCP logs security warnings at startup: 
[Security] CORS_PERMISSIVE_DEFAULT: CORS is using the permissive default (origin: true).
[Security] BIND_ALL_INTERFACES: Server bound to 0.0.0.0 — accessible from all network interfaces.
[Security] DNS_REBINDING_UNPROTECTED: DNS rebinding protection is disabled.
[Security] STRICT_MODE_HINT: To enable strict security defaults, set security.strict = true.
These are warnings only — no defaults are changed. Use them to audit your configuration before going to production.

Production Checklist

  • Set explicit cors.origin (not true)
  • Enable security.dnsRebindingProtection with allowedHosts
  • Set security.bindAddress to 'loopback' if behind a reverse proxy
  • Configure TLS termination at the reverse proxy layer
  • Set NODE_ENV=production for security audit warnings
  • Review startup logs for [Security] warnings

Example: Full Production Config

@FrontMcp({
  info: { name: 'my-server', version: '1.0.0' },
  apps: [MyApp],
  http: {
    port: 3000,
    cors: {
      origin: ['https://app.example.com'],
      credentials: false,
      maxAge: 600,
    },
    security: {
      strict: true,
      bindAddress: 'loopback',
      dnsRebindingProtection: {
        enabled: true,
        allowedHosts: ['localhost:3000'],
        allowedOrigins: ['https://app.example.com'],
      },
    },
  },
  redis: { provider: 'redis', host: 'redis', port: 6379 },
  transport: {
    protocol: 'modern',
    persistence: {
      redis: { provider: 'redis', host: 'redis', port: 6379 },
    },
  },
})

Security Headers & CSP

Content Security Policy, HSTS, and X-Frame-Options

High Availability

Distributed sessions, heartbeat, and session takeover

Redis Setup

Redis connection and session store configuration

Production Build

Build and deploy for production