Skip to content

fix: HTTP GET /mcp returns 400 instead of 405 Method Not Allowed #154

Description

@paulbreuler

Severity: Medium

`GET /mcp` returns `400 Bad Request` with `{"error":"Missing mcp-session-id header"}` instead of the semantically correct `405 Method Not Allowed`.

Current behavior

```
GET /mcp → 400 {"error":"Missing mcp-session-id header"}
```

Expected behavior

```
GET /mcp → 405 {"error":"Method Not Allowed"}
Allow: POST, DELETE
```

Fix

Add a method check before the session-id check in `src/server-http.ts`:

```typescript
if (url.pathname === '/mcp' && req.method !== 'POST' && req.method !== 'DELETE') {
res.writeHead(405, { 'Content-Type': 'application/json', 'Allow': 'POST, DELETE' });
res.end(JSON.stringify({ error: 'Method Not Allowed' }));
return;
}
```

Files to modify

  • `src/server-http.ts` — add method check for `/mcp` route
  • `tests/server-http.test.ts` — add test: GET /mcp returns 405 with Allow header

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions