fa-mcp-sdk

The server has a critical misconfiguration in its default CORS policy (`src/core/web/cors.ts`), which explicitly allows all origins (`callback(null, true);`). This exposes all HTTP endpoints, including the /mcp API, to cross-origin requests from any website, potentially leading to CSRF vulnerabilities or unauthorized access if other authentication mechanisms are bypassed or misconfigured. While rate limiting is present, and auth is configurable, this wide-open CORS is a significant risk. Additionally, the custom JWT-like token implementation (using symmetric AES-256 CTR encryption) in `src/core/auth/jwt.ts` has a hardcoded default `encryptKey` if not configured (a UUID `11111111-7777-8888-9999-000000000000`). If authentication is enabled and this default key is used, it severely compromises the security of generated tokens. The `cli-config.example.yaml` shows an auto-generated UUID, which is better, but the default in code is problematic. Logging has masking for sensitive data, which is a good practice. Path traversal checks exist in `src/core/web/svg-icons.ts`. NTLM and Basic authentication options require external configuration of credentials (AD or username/password).