DNS rebinding protection #831

rahul-netizen · 2026-03-02T18:57:44Z

rahul-netizen
Mar 2, 2026

Pre-submission Checklist

I have checked that this question would not be more appropriate as an issue in a specific repository
I have searched existing discussions and documentation for answers

Question Category

Your Question

The v1.4.0 version has introduced DNS rebinding protection

To be able to access my local development environment via a custom domain ( dev.local.com ), I create a DNS lookup locally to point localhost to dev.local.com, but with above update this causes it to break as reaching dev.local.com gives 403 or forbidden error.
Updating the server for one of the option DisableLocalhostProtection to true or using MCPGODEBUG env variable bypasses this and resolves my issue since for this case it's not exactly a rebinding attack

As part of release notes for v1.40, the Introduced DNS rebinding protection section states that The option to remove this protection will be removed in v1.6.0. But the question is what exactly will be removed ? The DisableLocalhostProtection param or support for MCPGODEBUG env variable or both ?

Answered by maciej-kisiel

Mar 3, 2026

Hi!

DisableLocalhostProtection will stay as a option, where the developer would like to opt out of the protections while understanding the security implications. What will be removed is the MCPGODEBUG parameter that affects the default behavior – in v1.6.0 the default will be for the protection to be enabled.

This means that for some time there will be two options to disable the protections – the DisableLocalhostProtection and MCPGODEBUG. The former is more future proof and if you can, you should use that one. MCPGODEBUG was only introduced for people that are affected by the default behavior change, but changing the source code within their development/release processes will take some ti…

View full answer

maciej-kisiel · 2026-03-03T07:55:31Z

maciej-kisiel
Mar 3, 2026
Maintainer

Hi!

DisableLocalhostProtection will stay as a option, where the developer would like to opt out of the protections while understanding the security implications. What will be removed is the MCPGODEBUG parameter that affects the default behavior – in v1.6.0 the default will be for the protection to be enabled.

This means that for some time there will be two options to disable the protections – the DisableLocalhostProtection and MCPGODEBUG. The former is more future proof and if you can, you should use that one. MCPGODEBUG was only introduced for people that are affected by the default behavior change, but changing the source code within their development/release processes will take some time. Until v1.6.0 they can use the environment variable.

I hope this makes it clearer, sorry for the confusion. I will also try to improve the wording in the release notes.

1 reply

rahul-netizen Mar 3, 2026
Author

Thanks @maciej-kisiel, this helps !

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DNS rebinding protection #831

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

DNS rebinding protection #831

Uh oh!

Uh oh!

rahul-netizen Mar 2, 2026

Pre-submission Checklist

Question Category

Your Question

Replies: 1 comment · 1 reply

Uh oh!

maciej-kisiel Mar 3, 2026 Maintainer

Uh oh!

rahul-netizen Mar 3, 2026 Author

rahul-netizen
Mar 2, 2026

Replies: 1 comment 1 reply

maciej-kisiel
Mar 3, 2026
Maintainer

rahul-netizen Mar 3, 2026
Author