Server validates the Origin header

Evaluated on every scan — observable from the URL, TLS handshake, or HTTP response headers, even when the MCP layer is auth-walled or unresponsive.

DNS rebinding lets an attacker's web page reach an MCP server bound to localhost or to an internal hostname — the browser-level same-origin policy doesn't help because the IP changes after the page loads. The Origin header is the server-side check that closes the loop. A server that doesn't validate Origin is reachable from any page the user visits while the MCP client is running.

The cross-origin POST probe returned HTTP 403 (the spec-compliant rejection).

The cross-origin POST probe returned a 2xx status, indicating the server processed the request without validating Origin.

When the rule fails, the report records evidence in roughly this shape:

• {"sentOrigin": "https://agentreserve-rebind-probe.invalid", "status": 200}

Validate the `Origin` header on every MCP request. Maintain an allow-list of acceptable origins (typically the operator's own clients) and return HTTP 403 on any mismatch. Localhost-only servers should additionally reject requests whose `Host` header points at any name other than the loopback addresses they bound to.

This rule belongs to the Transport security dimension. How the server is reached on the wire. Covers TLS and protocol-level confidentiality of probe traffic.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.