Return HTTP 403 for invalid Origin headers (#1353)

Author: pja-ant

src/mcp/server/transport_security.py

@@ -122,6 +122,6 @@ async def validate_request(self, request: Request, is_post: bool = False) -> Res
         # Validate Origin header
         origin = request.headers.get("origin")
         if not self._validate_origin(origin):
-            return Response("Invalid Origin header", status_code=400)
+            return Response("Invalid Origin header", status_code=403)
 
         return None

tests/server/test_sse_security.py

@@ -127,7 +127,7 @@ async def test_sse_security_invalid_origin_header(server_port: int):
 
         async with httpx.AsyncClient() as client:
             response = await client.get(f"http://127.0.0.1:{server_port}/sse", headers=headers)
-            assert response.status_code == 400
+            assert response.status_code == 403
             assert response.text == "Invalid Origin header"
 
     finally:

tests/server/test_streamable_http_security.py

@@ -155,7 +155,7 @@ async def test_streamable_http_security_invalid_origin_header(server_port: int):
                 json={"jsonrpc": "2.0", "method": "initialize", "id": 1, "params": {}},
                 headers=headers,
             )
-            assert response.status_code == 400
+            assert response.status_code == 403
             assert response.text == "Invalid Origin header"
 
     finally: