Rule catalog · Transport security

Probe response content-type was acceptable

transport_content_type_acceptableinfoweight 1Perimeter

Authored by Stanley Hong · AgentReserve (founder).

The probe transport layer accepted the response's content-type. MCP servers MUST return JSON-RPC over HTTP or SSE; any other content-type makes the response unusable.

When this rule runs

Evaluated on every scan — observable from the URL, TLS handshake, or HTTP response headers, even when the MCP layer is auth-walled or unresponsive.

Why it matters

A response with the wrong content-type forces the client to either guess or refuse. Refusing is the safe default — but it means the server is effectively offline to spec-conformant clients.

Pass condition

Probe completed; the transport layer accepted the response content-type.

Fail condition

Probe was rejected by the transport layer (`UPSTREAM_PROTOCOL_ERROR`).

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

```
{"acceptedTransports": ["http", "sse"]}
```

Remediation

Serve `application/json` for HTTP transport or `text/event-stream` for SSE transport on the MCP endpoint.

Methodology

This rule belongs to the Transport security dimension. How the server is reached on the wire. Covers TLS and protocol-level confidentiality of probe traffic.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog