Better CORS defaults for SSE transport

[jspahrsummers]

It's likely that most MCP servers accessible over SSE should be contactable by frontend web applications, which means the right CORS headers need to be set. The SDK should likely opt-in to this by default, with an opt-out available.

See also modelcontextprotocol/typescript-sdk#143.

[panz2018]

I have developed web servers that integrate MCP SSE functionality:

• Using FastAPI: fastapi_mcp_sse
• Using Starlette: starlette_mcp_sse

These servers can be extended with custom routes while retaining full MCP SSE capabilities. Thus, it is possible to add CORS or any other functions using FastAPI or Starlette functions.

[ezyang]

Even if the default isn't changed, there should be some way to set it from mcp run. Otherwise the built in serving commands are just fundamentally not serious for real use.

[ezyang]

It's so easy to just hard code your own SSE server though... the missed opportunity here is ensuring all MCP's have a standardized way to do the SSE server

[ewfian]

Workaround

I've created a working solution by subclassing FastMCP to add CORS middleware support for both SSE and StreamableHTTP transports:

from mcp.server.fastmcp import FastMCP
from starlette.middleware.cors import CORSMiddleware
from starlette.applications import Starlette

class FastMCPWithCORS(FastMCP):
    def streamable_http_app(self) -> Starlette:
        """Return StreamableHTTP server app with CORS middleware"""
        # Get the original Starlette app
        app = super().streamable_http_app()
        
        # Add CORS middleware
        app.add_middleware(
            CORSMiddleware,
            allow_origins=["*"],  # In production, should set specific domains
            allow_credentials=True,
            allow_methods=["*"],
            allow_headers=["*"],
        )
        
        return app
    
    def sse_app(self, mount_path: str | None = None) -> Starlette:
        """Return SSE server app with CORS middleware"""
        # Get the original Starlette app
        app = super().sse_app(mount_path)
        
        # Add CORS middleware
        app.add_middleware(
            CORSMiddleware,
            allow_origins=["*"],  # In production, should set specific domains
            allow_credentials=True,
            allow_methods=["*"],
            allow_headers=["*"],
        )
        
        return app

# Usage
server = FastMCPWithCORS("My MCP Server", host="0.0.0.0")

@server.tool()
async def my_tool(query: str) -> str:
    return f"Result for: {query}"

if __name__ == "__main__":
    server.run(transport='streamable-http')  # or 'sse'

This approach:

• ✅ Works with both SSE and StreamableHTTP transports
• ✅ Handles CORS preflight requests correctly
• ✅ Maintains all existing FastMCP functionality
• ✅ Easy to customize CORS settings per server

Testing results:

$ curl -I -X OPTIONS http://localhost:8000/mcp/
HTTP/1.1 200 OK
access-control-allow-origin: *
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-headers: *
access-control-allow-credentials: true

This could serve as a reference for implementing CORS defaults in the SDK itself.

[informatica92]

Workaround

I've created a working solution by subclassing FastMCP to add CORS middleware support for both SSE and StreamableHTTP transports:

from mcp.server.fastmcp import FastMCP
from starlette.middleware.cors import CORSMiddleware
from starlette.applications import Starlette

class FastMCPWithCORS(FastMCP):
def streamable_http_app(self) -> Starlette:
"""Return StreamableHTTP server app with CORS middleware"""
# Get the original Starlette app
app = super().streamable_http_app()

    # Add CORS middleware
    app.add_middleware(
        CORSMiddleware,
        allow_origins=["*"],  # In production, should set specific domains
        allow_credentials=True,
        allow_methods=["*"],
        allow_headers=["*"],
    )
    
    return app

def sse_app(self, mount_path: str | None = None) -> Starlette:
    """Return SSE server app with CORS middleware"""
    # Get the original Starlette app
    app = super().sse_app(mount_path)
    
    # Add CORS middleware
    app.add_middleware(
        CORSMiddleware,
        allow_origins=["*"],  # In production, should set specific domains
        allow_credentials=True,
        allow_methods=["*"],
        allow_headers=["*"],
    )
    
    return app

Usage

server = FastMCPWithCORS("My MCP Server", host="0.0.0.0")

@server.tool()
async def my_tool(query: str) -> str:
return f"Result for: {query}"

if name == "main":
server.run(transport='streamable-http') # or 'sse'
This approach:

• ✅ Works with both SSE and StreamableHTTP transports
• ✅ Handles CORS preflight requests correctly
• ✅ Maintains all existing FastMCP functionality
• ✅ Easy to customize CORS settings per server

Testing results:

$ curl -I -X OPTIONS http://localhost:8000/mcp/
HTTP/1.1 200 OK
access-control-allow-origin: *
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-headers: *
access-control-allow-credentials: true
This could serve as a reference for implementing CORS defaults in the SDK itself.

I recently faced the same issue (trying to connect an "sse" server using the official MCP Inspector).
This workaround solves the issue.

[Kludex]

I don't think CORS should be enabled by default.