fn validate_origin(headers: &HeaderMap) -> Option<Response>Expand description
Validates the Origin header to prevent DNS rebinding attacks (MCP 2025-11-25). Returns Some(403) if the Origin is present but doesn’t match the Host. Returns None if the Origin is absent (non-browser client) or valid.