mcp-sdk-go

The SDK generally demonstrates good security practices, especially with its robust middleware system for logging, recovery, timeouts, rate limiting, and authentication. Input validation for tool arguments is enforced via JSON Schema inference, significantly reducing injection risks. The Streamable HTTP transport (the latest recommended HTTP transport) correctly implements maximum body size limits and provides an opt-in mechanism for origin validation to prevent DNS rebinding attacks. However, there are some notable areas for improvement: 1) The SSE transport (marked as backward compatible/older) reads entire request bodies without size limits, which could expose servers to Denial-of-Service attacks via large payloads. 2) The unofficial WebSocket transport explicitly disables origin checks (`CheckOrigin: func(r *http.Request) bool { return true }`), introducing a significant CSRF risk if used without custom origin validation. 3) Origin validation for the Streamable HTTP transport is opt-in and not enabled by default, requiring explicit configuration by the developer for full protection.