fn validate_origin(
headers: &HeaderMap,
allowed: &[HeaderValue],
) -> Option<Response>Expand description
Validates the Origin header against the CORS allowlist to prevent DNS rebinding attacks (MCP spec 2025-11-25). Returns Some(403) if Origin is present but not on the allowlist. Returns None if absent (non-browser client) or allowed.
Note: this server-side check is required in addition to the CorsLayer. CorsLayer only controls response headers and can be bypassed when the attacker arranges same-origin DNS rebinding (no preflight fires).