x-custom-auth-headers breaks CORS in direct connections #1100
Description
Inspector Version
- v0.20.0
Describe the bug
x-custom-auth-headers http header is sent to the mcp server when connecting directly even though it's an mcp inspector proxy implementation detail. This breaks CORS, because mcp server does not expect this header to be sent, so it does not include it into the Access-Control-Allow-Headers list. As a result, browser blocks the request because preflight request did not allow x-custom-auth-headers header to be sent.
To Reproduce
Steps to reproduce the behavior:
- Set up a direct connection to any server compliant to the MCP protocol
- Add any custom header other than "Authorization"
- Try connecting to the server. Your browser will block the request because the inspector sends
x-custom-auth-headersheader which was not allowed:
Access to fetch at 'http://localhost:8080/mcp' from origin 'http://localhost:6274' has been blocked by CORS policy: Request header field x-custom-auth-headers is not allowed by Access-Control-Allow-Headers in preflight response.
Expected behavior
x-custom-auth-headers should only be sent to the inspector proxy and filtered out there. It should not be sent in direct connections at all. This header should never reach MCP server itself because it is not part of the MCP spec so we cannot expect MCP servers to expect this header.
Screenshots
Environment (please complete the following information):
- OS: macOS
- Browser Chrome