Return HTTP 403 for invalid Origin headers

Changed the HTTP status code for invalid Origin headers from 400 (Bad Request)
to 403 (Forbidden) to better reflect the nature of the error. Invalid origin
headers represent an authorization failure rather than a malformed request.

Github-Issue: #1398

Author: pja-ant

src/mcp/server/transport_security.py

@@ -122,6 +122,6 @@ async def validate_request(self, request: Request, is_post: bool = False) -> Res
         # Validate Origin header
         origin = request.headers.get("origin")
         if not self._validate_origin(origin):
-            return Response("Invalid Origin header", status_code=400)
+            return Response("Invalid Origin header", status_code=403)
 
         return None

tests/server/test_sse_security.py

@@ -127,7 +127,7 @@ async def test_sse_security_invalid_origin_header(server_port: int):
 
         async with httpx.AsyncClient() as client:
             response = await client.get(f"http://127.0.0.1:{server_port}/sse", headers=headers)
-            assert response.status_code == 400
+            assert response.status_code == 403
             assert response.text == "Invalid Origin header"
 
     finally:

tests/server/test_streamable_http_security.py

@@ -155,7 +155,7 @@ async def test_streamable_http_security_invalid_origin_header(server_port: int):
                 json={"jsonrpc": "2.0", "method": "initialize", "id": 1, "params": {}},
                 headers=headers,
             )
-            assert response.status_code == 400
+            assert response.status_code == 403
             assert response.text == "Invalid Origin header"
 
     finally: