mcp-proxy 6.4.6 → 6.5.0

package/README.md

@@ -62,6 +62,25 @@ options:
 - `--sslKey`: Private keys filename in PEM format
 - `--tunnel`: Expose the proxy via a public tunnel (see [Public Tunnel](#public-tunnel))
 - `--tunnelSubdomain`: Request a specific subdomain for the tunnel (availability not guaranteed)
+- `--corsAddAllowedHeader`: Add a header name to `Access-Control-Allow-Headers` (defaults preserved). Repeat to add multiple. Useful when running with `--apiKey` so browser preflights for `X-API-Key` succeed.
+
+### Troubleshooting Python stdio servers
+
+If a Python stdio MCP server times out with an error such as `Expected server to respond to ping`, make sure Python is running in unbuffered mode. Buffered stdout can delay MCP JSON-RPC messages long enough for the proxy to treat the server as unresponsive.
+
+Use `python -u` when launching the server:
+
+```bash
+npx mcp-proxy -- python -u -m your_package.mcp_server
+```
+
+Alternatively, set `PYTHONUNBUFFERED=1`:
+
+```bash
+PYTHONUNBUFFERED=1 npx mcp-proxy -- python -m your_package.mcp_server
+```
+
+MCP stdio servers should also reserve stdout for protocol messages. Send logs, warnings, and other diagnostic output to stderr, and use `--debug` when you need proxy-side logs.
 
 ### Public Tunnel
 
@@ -84,7 +103,7 @@ tunnel established at https://abcdefghij.tunnel.gla.ma
 > [!NOTE]
 > The requested subdomain may not be available. The actual URL will be displayed when the tunnel is established.
 
-This feature is powered by [pipenet](https://github.com/AugmentHQ/pipenet) and sponsored by [glama.ai](https://glama.ai). For more information, see the [pipenet announcement](https://glama.ai/blog/2026-01-19-pipenet).
+This feature is powered by [pipenet](https://github.com/punkpeye/pipenet) and sponsored by [glama.ai](https://glama.ai). For more information, see the [pipenet announcement](https://glama.ai/blog/2026-01-19-pipenet).
 
 ### Stateless Mode
 
@@ -318,6 +337,23 @@ await startHTTPServer({
 });
 ```
 
+#### CLI: adding allowed headers
+
+The CLI exposes a single `--corsAddAllowedHeader` flag that appends to the
+default `Access-Control-Allow-Headers` list (defaults preserved). The most
+common use is unblocking the browser preflight for a custom auth header when
+the proxy is started with `--apiKey`:
+
+```bash
+npx mcp-proxy --port 8080 --apiKey secret \
+  --corsAddAllowedHeader X-API-Key \
+  -- npx -y @modelcontextprotocol/server-filesystem /srv
+```
+
+Repeat the flag to add more (`--corsAddAllowedHeader X-API-Key --corsAddAllowedHeader X-Other`).
+For broader CORS overrides (origin allowlist, wildcard headers, disabling CORS),
+use the programmatic `cors` option below.
+
 #### Migration from Older Versions
 
 If you were using mcp-proxy 5.5.6 and want the same permissive behavior in 5.9.0+:

package/dist/bin/mcp-proxy.mjs

@@ -5053,6 +5053,11 @@ const argv = await yargs_default(hideBin(process.argv)).scriptName("mcp-proxy").
 		describe: "The timeout (in milliseconds) for initial connection to the MCP server (default: 60 seconds)",
 		type: "number"
 	},
+	corsAddAllowedHeader: {
+		array: true,
+		describe: "Add a header name to Access-Control-Allow-Headers (defaults preserved). Repeat to add multiple, e.g. `--corsAddAllowedHeader X-API-Key`.",
+		type: "string"
+	},
 	debug: {
 		default: false,
 		describe: "Enable debug logging",
@@ -5129,6 +5134,14 @@ const argv = await yargs_default(hideBin(process.argv)).scriptName("mcp-proxy").
 		type: "string"
 	}
 }).help().parseAsync();
+const corsOption = argv.corsAddAllowedHeader && argv.corsAddAllowedHeader.length > 0 ? { allowedHeaders: [...[
+	"Content-Type",
+	"Authorization",
+	"Accept",
+	"Mcp-Session-Id",
+	"Mcp-Protocol-Version",
+	"Last-Event-Id"
+], ...argv.corsAddAllowedHeader] } : void 0;
 const dashDashArgs = argv["--"];
 let finalCommand;
 let finalArgs;
@@ -5180,6 +5193,7 @@ const proxy = async () => {
 	};
 	const server = await startHTTPServer({
 		apiKey: argv.apiKey,
+		cors: corsOption,
 		createServer,
 		eventStore: new InMemoryEventStore(),
 		host: argv.host,