From 20483dc5f95df8368f48cf445304e976ca1b9e00 Mon Sep 17 00:00:00 2001
From: Gilles Soulier <gil.soulier@gmail.com>
Date: Thu, 28 May 2026 10:40:44 +0200
Subject: [PATCH] =?UTF-8?q?fix(mcp):=20d=C3=A9sactiver=20DNS=20rebinding?=
 =?UTF-8?q?=20protection=20(auth=20Bearer=20suffisant)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/app/api/mcp_server.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/app/api/mcp_server.py b/backend/app/api/mcp_server.py
index 2ab8f65..a0dbe5c 100644
--- a/backend/app/api/mcp_server.py
+++ b/backend/app/api/mcp_server.py
@@ -4,6 +4,7 @@ from datetime import datetime, timedelta, timezone, date as date_type
 from decimal import Decimal
 
 from mcp.server.fastmcp import FastMCP
+from mcp.server.transport_security import TransportSecuritySettings
 from sqlalchemy import select, and_, text, or_
 from sqlalchemy.orm import selectinload
 
@@ -15,7 +16,12 @@ from app.models.shopping import ShoppingList, ListItem, Product
 _VALID_STATUSES = {"pending", "done", "cancelled"}
 _VALID_PRIORITIES = {"low", "medium", "high"}
 
-mcp = FastMCP("HomeHub", stateless_http=True, streamable_http_path="/")
+mcp = FastMCP(
+    "HomeHub",
+    stateless_http=True,
+    streamable_http_path="/",
+    transport_security=TransportSecuritySettings(enable_dns_rebinding_protection=False),
+)
 
 
 def _serialize(obj):