Add CORS support

[DaleSeo]

This PR implements comprehensive CORS support for Apollo MCP Server to enable web-based MCP clients to connect without CORS errors. The implementation and configuration draw heavily from the Router's approach. Similar to other features like health checks and telemetry, CORS is supported only for the StreamableHttp transport, making it a top-level configuration.

How to test

Add the following config to your config file and run the MCP server.

cors:
  enabled: true
  # Allow common development origins
  origins:
    - http://localhost:3000
  allow_credentials: true
  expose_headers:
    - mcp-session-id

Pre-flight test: Allowed origin

$ curl -i -X OPTIONS \
  -H "Origin: http://localhost:3000" \
  -H "Access-Control-Request-Method: POST" \
http://127.0.0.1:5000/mcp

HTTP/1.1 200 OK
access-control-allow-credentials: true
vary: origin, access-control-request-method, access-control-request-headers
access-control-allow-methods: GET,POST,OPTIONS
access-control-allow-headers: content-type,authorization,mcp-session-id
access-control-max-age: 7200
access-control-allow-origin: http://localhost:3000
content-length: 0
date: Wed, 17 Sep 2025 20:45:21 GMT

Pre-flight test: Origin rejection

$ curl -i -X OPTIONS \
  -H "Origin: https://unauthorized.com" \
  -H "Access-Control-Request-Method: POST" \
http://127.0.0.1:5000/mcp

HTTP/1.1 200 OK
access-control-allow-credentials: true
vary: origin, access-control-request-method, access-control-request-headers
access-control-allow-methods: GET,POST,OPTIONS
access-control-allow-headers: content-type,authorization,mcp-session-id
access-control-max-age: 7200
content-length: 0
date: Wed, 17 Sep 2025 20:53:15 GMT

Initialize Call

$ curl -i -X POST \
  -H "Origin: https://localhost:3000" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0.0"}},"id":1}' \
  http://127.0.0.1:5000/mcp

HTTP/1.1 200 OK
content-type: text/event-stream
cache-control: no-cache
mcp-session-id: 4063d7b8-9810-464d-b3f7-3a0414ac4abd
vary: origin, access-control-request-method, access-control-request-headers
access-control-allow-credentials: true
access-control-allow-origin: https://localhost:3000
transfer-encoding: chunked
date: Wed, 17 Sep 2025 21:06:40 GMT

data: {"jsonrpc":"2.0","id":1,"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{"listChanged":true}},"serverInfo":{"name":"Apollo MCP Server","title":"Apollo MCP Server","version":"0.8.0","websiteUrl":"https://www.apollographql.com/docs/apollo-mcp-server"}}}

[apollo-librarian]

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 2 changed, 0 removed

* (developer-tools)/apollo-mcp-server/(latest)/config-file.mdx
* (developer-tools)/apollo-mcp-server/(latest)/define-tools.mdx

Build ID: 470a2f57236ce376fd75af46
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/470a2f57236ce376fd75af46