From fcc92265f1548ab1307e0ed09b7825bb76d57778 Mon Sep 17 00:00:00 2001
From: Peter Alexander <pja@anthropic.com>
Date: Mon, 8 Sep 2025 15:30:56 +0100
Subject: [PATCH] Return HTTP 403 for invalid Origin headers

Changed the HTTP status code for invalid Origin headers from 400 (Bad Request)
to 403 (Forbidden) to better reflect the nature of the error. Invalid origin
headers represent an authorization failure rather than a malformed request.

Github-Issue: #1398
---
 src/mcp/server/transport_security.py          | 2 +-
 tests/server/test_sse_security.py             | 2 +-
 tests/server/test_streamable_http_security.py | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/mcp/server/transport_security.py b/src/mcp/server/transport_security.py
index 3a884ee2b..de4542af6 100644
--- a/src/mcp/server/transport_security.py
+++ b/src/mcp/server/transport_security.py
@@ -122,6 +122,6 @@ async def validate_request(self, request: Request, is_post: bool = False) -> Res
         # Validate Origin header
         origin = request.headers.get("origin")
         if not self._validate_origin(origin):
-            return Response("Invalid Origin header", status_code=400)
+            return Response("Invalid Origin header", status_code=403)
 
         return None
diff --git a/tests/server/test_sse_security.py b/tests/server/test_sse_security.py
index 43af35061..bdaec6bdb 100644
--- a/tests/server/test_sse_security.py
+++ b/tests/server/test_sse_security.py
@@ -127,7 +127,7 @@ async def test_sse_security_invalid_origin_header(server_port: int):
 
         async with httpx.AsyncClient() as client:
             response = await client.get(f"http://127.0.0.1:{server_port}/sse", headers=headers)
-            assert response.status_code == 400
+            assert response.status_code == 403
             assert response.text == "Invalid Origin header"
 
     finally:
diff --git a/tests/server/test_streamable_http_security.py b/tests/server/test_streamable_http_security.py
index eed791924..b9cd83dc1 100644
--- a/tests/server/test_streamable_http_security.py
+++ b/tests/server/test_streamable_http_security.py
@@ -155,7 +155,7 @@ async def test_streamable_http_security_invalid_origin_header(server_port: int):
                 json={"jsonrpc": "2.0", "method": "initialize", "id": 1, "params": {}},
                 headers=headers,
             )
-            assert response.status_code == 400
+            assert response.status_code == 403
             assert response.text == "Invalid Origin header"
 
     finally: