fix(security): deduplicate per-host and per-origin rejection log warnings

Log each unique rejected Host/Origin value only once per middleware
instance to prevent log flooding in reverse-proxy deployments where a
misconfigured client hammers the server repeatedly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: BSmick6

src/mcp/server/transport_security.py

@@ -51,6 +51,8 @@ class TransportSecurityMiddleware:
     def __init__(self, settings: TransportSecuritySettings | None = None):
         # If not specified, disable DNS rebinding protection by default for backwards compatibility
         self.settings = settings or TransportSecuritySettings(enable_dns_rebinding_protection=False)
+        self._warned_hosts: set[str | None] = set()
+        self._warned_origins: set[str] = set()
 
     def _validate_host(self, host: str | None) -> bool:
         """Validate the Host header against allowed values."""
@@ -71,7 +73,9 @@ def _validate_host(self, host: str | None) -> bool:
                 if host.startswith(base_host + ":"):
                     return True
 
-        logger.warning(f"Invalid Host header: {host}")
+        if host not in self._warned_hosts:
+            self._warned_hosts.add(host)
+            logger.warning(f"Invalid Host header: {host}")
         return False
 
     def _validate_origin(self, origin: str | None) -> bool:
@@ -93,7 +97,9 @@ def _validate_origin(self, origin: str | None) -> bool:
                 if origin.startswith(base_origin + ":"):
                     return True
 
-        logger.warning(f"Invalid Origin header: {origin}")
+        if origin not in self._warned_origins:
+            self._warned_origins.add(origin)
+            logger.warning(f"Invalid Origin header: {origin}")
         return False
 
     def _validate_content_type(self, content_type: str | None) -> bool:

tests/server/test_transport_security.py

@@ -83,6 +83,17 @@ def test_validate_host_port_wildcard_no_port() -> None:
     assert m._validate_host("localhost") is False
 
 
+def test_validate_host_logs_once_per_unique_host(caplog: pytest.LogCaptureFixture) -> None:
+    m = TransportSecurityMiddleware(TransportSecuritySettings(allowed_hosts=["example.com"]))
+    with caplog.at_level(logging.WARNING, logger="mcp.server.transport_security"):
+        m._validate_host("evil.com")
+        m._validate_host("evil.com")
+        m._validate_host("evil.com")
+        m._validate_host("other.com")
+    host_records = [r for r in caplog.records if "Invalid Host header" in r.message]
+    assert len(host_records) == 2  # one for evil.com, one for other.com
+
+
 # ---------------------------------------------------------------------------
 # TransportSecurityMiddleware._validate_origin
 # ---------------------------------------------------------------------------
@@ -113,6 +124,16 @@ def test_validate_origin_port_wildcard_different_base() -> None:
     assert m._validate_origin("http://other:3000") is False
 
 
+def test_validate_origin_logs_once_per_unique_origin(caplog: pytest.LogCaptureFixture) -> None:
+    m = TransportSecurityMiddleware(TransportSecuritySettings(allowed_origins=["http://example.com"]))
+    with caplog.at_level(logging.WARNING, logger="mcp.server.transport_security"):
+        m._validate_origin("http://evil.com")
+        m._validate_origin("http://evil.com")
+        m._validate_origin("http://other.com")
+    origin_records = [r for r in caplog.records if "Invalid Origin header" in r.message]
+    assert len(origin_records) == 2  # one for evil.com, one for other.com
+
+
 # ---------------------------------------------------------------------------
 # TransportSecurityMiddleware.validate_request
 # ---------------------------------------------------------------------------