fix: reject POST requests with non-JSON Content-Type with HTTP 415

suryateja-g13 · suryateja-g13 · commit 34d1eb63e26c · 2026-05-17T17:55:08.000-04:00
HttpServletStreamableServerTransportProvider accepted POST requests regardless of their Content-Type header, processing them normally even when declared as text/plain, application/x-www-form-urlencoded, or with no Content-Type at all. Add an early Content-Type check in doPost() that returns HTTP 415 Unsupported Media Type when the request Content-Type is absent or does not start with application/json, consistent with other MCP server implementations and browser/CORS hardening expectations. Also validate that the MCP-Protocol-Version request header on initialize requests is consistent with the protocolVersion field in the JSON-RPC body, returning HTTP 400 with a JSON-RPC INVALID_PARAMS error on mismatch. Fixes #961 Fixes #963 Signed-off-by: Gorre Surya <suryateja.g13@gmail.com>
diff --git a/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java b/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java
@@ -415,6 +415,12 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 			return;
 		}
 
+		String contentType = request.getContentType();
+		if (contentType == null || !contentType.startsWith(APPLICATION_JSON)) {
+			response.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, "Content-Type must be application/json");
+			return;
+		}
+
 		List<String> badRequestErrors = new ArrayList<>();
 
 		String accept = request.getHeader(ACCEPT);
@@ -450,6 +456,17 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 				McpSchema.InitializeRequest initializeRequest = jsonMapper.convertValue(jsonrpcRequest.params(),
 						new TypeRef<McpSchema.InitializeRequest>() {
 						});
+
+				String headerVersion = request.getHeader(HttpHeaders.PROTOCOL_VERSION);
+				if (headerVersion != null && !headerVersion.equals(initializeRequest.protocolVersion())) {
+					this.responseError(response, HttpServletResponse.SC_BAD_REQUEST, McpError
+						.builder(McpSchema.ErrorCodes.INVALID_PARAMS)
+						.message("MCP-Protocol-Version header '" + headerVersion
+								+ "' does not match body protocolVersion '" + initializeRequest.protocolVersion() + "'")
+						.build());
+					return;
+				}
+
 				McpStreamableServerSession.McpStreamableServerSessionInit init = this.sessionFactory
 					.startSession(initializeRequest);
 				this.sessions.put(init.session().getId(), init.session());
