Problem / motivation
The MCP HTTP server already has good fundamentals, but self-hosted deployments would benefit from stronger hardening and observability.
Proposed solution
Add selected production-oriented controls and metrics.
Scope candidates:
- rate limiting
- configurable CORS origin allowlist
- request size limits
- stronger log redaction guarantees
- metrics endpoint or Prometheus integration
Alternatives considered
Leave HTTP mode minimal and rely on reverse proxies for all controls. That is valid in some deployments, but built-in controls would make the server safer and easier to operate directly.
Additional context
Related existing issue:
Suggested checklist:
Problem / motivation
The MCP HTTP server already has good fundamentals, but self-hosted deployments would benefit from stronger hardening and observability.
Proposed solution
Add selected production-oriented controls and metrics.
Scope candidates:
Alternatives considered
Leave HTTP mode minimal and rely on reverse proxies for all controls. That is valid in some deployments, but built-in controls would make the server safer and easier to operate directly.
Additional context
Related existing issue:
Suggested checklist: