diff --git a/README.md b/README.md
index 6368ed04..3261f14f 100644
--- a/README.md
+++ b/README.md
@@ -133,6 +133,19 @@ You can paste the Server Entry into your existing `mcp.json` file under your cho
The inspector supports bearer token authentication for SSE connections. Enter your token in the UI when connecting to an MCP server, and it will be sent in the Authorization header. You can override the header name using the input field in the sidebar.
+### HTTPS Configuration
+
+oAuth testing in the browser involves security libraries that require serving the Client UI over a secure connection. To enable HTTPS for both the client and server, set these environment variables:
+
+- `INSPECTOR_SSL_CERT_PATH`: Path to SSL certificate file (.crt or .pem)
+- `INSPECTOR_SSL_KEY_PATH`: Path to SSL private key file (.key or .pem)
+
+When both variables are set, the inspector will automatically use HTTPS:
+- Client UI: `https://localhost:6274`
+- Proxy server: `https://localhost:6277`
+
+If these variables are not set, the inspector defaults to HTTP.
+
### Security Considerations
The MCP Inspector includes a proxy server that can run and communicate with local MCP processes. The proxy server should not be exposed to untrusted networks as it has permissions to spawn local processes and can connect to any specified MCP server.
diff --git a/client/bin/client.js b/client/bin/client.js
index 2a7419e6..5514fccc 100755
--- a/client/bin/client.js
+++ b/client/bin/client.js
@@ -5,45 +5,102 @@ import { join, dirname } from "path";
import { fileURLToPath } from "url";
import handler from "serve-handler";
import http from "http";
+import https from "https";
+import fs from "fs";
const __dirname = dirname(fileURLToPath(import.meta.url));
const distPath = join(__dirname, "../dist");
-const server = http.createServer((request, response) => {
- const handlerOptions = {
- public: distPath,
- rewrites: [{ source: "/**", destination: "/index.html" }],
- headers: [
- {
- // Ensure index.html is never cached
- source: "index.html",
- headers: [
- {
- key: "Cache-Control",
- value: "no-cache, no-store, max-age=0",
- },
- ],
- },
- {
- // Allow long-term caching for hashed assets
- source: "assets/**",
- headers: [
- {
- key: "Cache-Control",
- value: "public, max-age=31536000, immutable",
- },
- ],
- },
- ],
- };
+const handlerOptions = {
+ public: distPath,
+ rewrites: [{ source: "/**", destination: "/index.html" }],
+ headers: [
+ {
+ // Ensure index.html is never cached
+ source: "index.html",
+ headers: [
+ {
+ key: "Cache-Control",
+ value: "no-cache, no-store, max-age=0",
+ },
+ ],
+ },
+ {
+ // Allow long-term caching for hashed assets
+ source: "assets/**",
+ headers: [
+ {
+ key: "Cache-Control",
+ value: "public, max-age=31536000, immutable",
+ },
+ ],
+ },
+ ],
+};
+const requestHandler = (request, response) => {
return handler(request, response, handlerOptions);
-});
+};
+
+const port = process.env.CLIENT_PORT || 6274;
+const INSPECTOR_SSL_CERT_PATH = process.env.INSPECTOR_SSL_CERT_PATH;
+const INSPECTOR_SSL_KEY_PATH = process.env.INSPECTOR_SSL_KEY_PATH;
+
+let server;
+
+if (INSPECTOR_SSL_CERT_PATH && INSPECTOR_SSL_KEY_PATH) {
+ // HTTPS server
+ try {
+ const options = {
+ cert: fs.readFileSync(INSPECTOR_SSL_CERT_PATH),
+ key: fs.readFileSync(INSPECTOR_SSL_KEY_PATH)
+ };
+ server = https.createServer(options, requestHandler);
+ server.on("listening", () => {
+ console.log(
+ `š MCP Inspector is up and running at https://127.0.0.1:${port} šš`,
+ );
+ });
+ } catch (error) {
+ console.error(`ā Failed to load SSL certificates: ${error instanceof Error ? error.message : String(error)}`);
+ console.log(`š Falling back to HTTP mode`);
+ server = http.createServer(requestHandler);
+ server.on("listening", () => {
+ console.log(
+ `š MCP Inspector is up and running at http://127.0.0.1:${port} š (SSL fallback)`,
+ );
+ });
+ }
+} else {
+ // HTTP server (default)
+ if (!INSPECTOR_SSL_CERT_PATH && !INSPECTOR_SSL_KEY_PATH) {
+ console.log(`š No SSL certificates configured - using HTTP`);
+ console.log(`š” To enable HTTPS, set INSPECTOR_SSL_CERT_PATH and INSPECTOR_SSL_KEY_PATH environment variables`);
+ } else {
+ console.log(`ā ļø Incomplete SSL configuration:`);
+ if (!INSPECTOR_SSL_CERT_PATH) console.log(` Missing INSPECTOR_SSL_CERT_PATH`);
+ if (!INSPECTOR_SSL_KEY_PATH) console.log(` Missing INSPECTOR_SSL_KEY_PATH`);
+ console.log(`š Using HTTP mode`);
+ }
+
+ server = http.createServer(requestHandler);
+ server.on("listening", () => {
+ console.log(
+ `š MCP Inspector is up and running at http://127.0.0.1:${port} š`,
+ );
+ });
+}
-const port = parseInt(process.env.CLIENT_PORT || "6274", 10);
+// Parse port and host from environment
+const parsedPort = parseInt(process.env.CLIENT_PORT || "6274", 10);
const host = process.env.HOST || "localhost";
+
+// Override the port variable to use parsed version
+const port = parsedPort;
+
server.on("listening", () => {
- const url = process.env.INSPECTOR_URL || `http://${host}:${port}`;
+ const protocol = (INSPECTOR_SSL_CERT_PATH && INSPECTOR_SSL_KEY_PATH) ? "https" : "http";
+ const url = process.env.INSPECTOR_URL || `${protocol}://${host}:${port}`;
console.log(`\nš MCP Inspector is up and running at:\n ${url}\n`);
if (process.env.MCP_AUTO_OPEN_ENABLED !== "false") {
console.log(`š Opening browser...`);
diff --git a/client/bin/start.js b/client/bin/start.js
index 70ca046e..bb1a5156 100755
--- a/client/bin/start.js
+++ b/client/bin/start.js
@@ -15,7 +15,8 @@ function delay(ms) {
function getClientUrl(port, authDisabled, sessionToken, serverPort) {
const host = process.env.HOST || "localhost";
- const baseUrl = `http://${host}:${port}`;
+ const protocol = (process.env.INSPECTOR_SSL_CERT_PATH && process.env.INSPECTOR_SSL_KEY_PATH) ? "https" : "http";
+ const baseUrl = `${protocol}://${host}:${port}`;
const params = new URLSearchParams();
if (serverPort && serverPort !== DEFAULT_MCP_PROXY_LISTEN_PORT) {
@@ -42,6 +43,8 @@ async function startDevServer(serverOptions) {
CLIENT_PORT,
MCP_PROXY_TOKEN: sessionToken,
MCP_ENV_VARS: JSON.stringify(envVars),
+ INSPECTOR_SSL_CERT_PATH: process.env.INSPECTOR_SSL_CERT_PATH,
+ INSPECTOR_SSL_KEY_PATH: process.env.INSPECTOR_SSL_KEY_PATH,
},
signal: abort.signal,
echoOutput: true,
@@ -128,7 +131,12 @@ async function startDevClient(clientOptions) {
const client = spawn(clientCommand, clientArgs, {
cwd: resolve(__dirname, ".."),
- env: { ...process.env, CLIENT_PORT },
+ env: {
+ ...process.env,
+ CLIENT_PORT,
+ INSPECTOR_SSL_CERT_PATH: process.env.INSPECTOR_SSL_CERT_PATH,
+ INSPECTOR_SSL_KEY_PATH: process.env.INSPECTOR_SSL_KEY_PATH
+ },
signal: abort.signal,
echoOutput: true,
});
diff --git a/client/vite.config.ts b/client/vite.config.ts
index fa817c7b..00ba894f 100644
--- a/client/vite.config.ts
+++ b/client/vite.config.ts
@@ -1,12 +1,17 @@
import react from "@vitejs/plugin-react";
import path from "path";
import { defineConfig } from "vite";
+import fs from "fs";
// https://vitejs.dev/config/
export default defineConfig({
plugins: [react()],
server: {
host: true,
+ https: process.env.INSPECTOR_SSL_CERT_PATH && process.env.INSPECTOR_SSL_KEY_PATH ? {
+ key: fs.readFileSync(process.env.INSPECTOR_SSL_KEY_PATH),
+ cert: fs.readFileSync(process.env.INSPECTOR_SSL_CERT_PATH)
+ } : false,
},
resolve: {
alias: {
diff --git a/generate-ssl.sh b/generate-ssl.sh
new file mode 100755
index 00000000..c62fa537
--- /dev/null
+++ b/generate-ssl.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# MCP Inspector SSL Certificate Generator
+# This script generates SSL certificates for local HTTPS development
+
+set -e
+
+echo "š Generating SSL certificates for MCP Inspector..."
+
+# Check if mkcert is installed
+if ! command -v mkcert &> /dev/null; then
+ echo "ā mkcert not found. Installing..."
+
+ # Detect OS and install mkcert
+ if [[ "$OSTYPE" == "darwin"* ]]; then
+ # macOS
+ if ! command -v brew &> /dev/null; then
+ echo "ā Homebrew not found. Please install Homebrew first: https://brew.sh"
+ exit 1
+ fi
+ brew install mkcert
+ elif [[ "$OSTYPE" == "linux-gnu"* ]]; then
+ # Linux
+ if command -v apt-get &> /dev/null; then
+ sudo apt-get update && sudo apt-get install -y mkcert
+ elif command -v dnf &> /dev/null; then
+ sudo dnf install -y mkcert
+ elif command -v pacman &> /dev/null; then
+ sudo pacman -S mkcert
+ elif command -v zypper &> /dev/null; then
+ sudo zypper install mkcert
+ else
+ echo "ā Package manager not found. Please install mkcert manually: https://github.com/FiloSottile/mkcert"
+ exit 1
+ fi
+ elif [[ "$OSTYPE" == "msys" || "$OSTYPE" == "cygwin" ]]; then
+ # Windows (Git Bash/WSL)
+ if command -v choco &> /dev/null; then
+ choco install mkcert
+ elif command -v scoop &> /dev/null; then
+ scoop install mkcert
+ else
+ echo "ā Neither Chocolatey nor Scoop found. Please install one of them or install mkcert manually:"
+ echo " Chocolatey: https://chocolatey.org"
+ echo " Scoop: https://scoop.sh"
+ echo " mkcert: https://github.com/FiloSottile/mkcert"
+ exit 1
+ fi
+ else
+ echo "ā Unsupported OS: $OSTYPE"
+ echo "Please install mkcert manually: https://github.com/FiloSottile/mkcert"
+ exit 1
+ fi
+fi
+
+# Create ssl directory if it doesn't exist
+mkdir -p ssl
+
+# Generate certificates
+echo "š Generating certificates for localhost and 127.0.0.1..."
+mkcert -key-file ssl/key.pem -cert-file ssl/cert.pem localhost 127.0.0.1
+
+# Set permissions
+chmod 600 ssl/key.pem
+chmod 644 ssl/cert.pem
+
+echo "ā
SSL certificates generated successfully!"
+echo ""
+echo "š To use HTTPS, set these environment variables:"
+echo "export INSPECTOR_SSL_CERT_PATH=$(pwd)/ssl/cert.pem"
+echo "export INSPECTOR_SSL_KEY_PATH=$(pwd)/ssl/key.pem"
+echo ""
+echo "š” To avoid browser warnings, run: sudo mkcert -install"
+echo ""
+echo "š Start the inspector with: npm run dev"
\ No newline at end of file
diff --git a/package-lock.json b/package-lock.json
index ce3b7ba7..0de6103b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -17,7 +17,7 @@
"@modelcontextprotocol/inspector-cli": "^0.15.0",
"@modelcontextprotocol/inspector-client": "^0.15.0",
"@modelcontextprotocol/inspector-server": "^0.15.0",
- "@modelcontextprotocol/sdk": "^1.13.1",
+ "@modelcontextprotocol/sdk": "^1.15.0",
"concurrently": "^9.0.1",
"open": "^10.1.0",
"shell-quote": "^1.8.2",
@@ -37,6 +37,9 @@
"prettier": "3.3.3",
"rimraf": "^6.0.1",
"typescript": "^5.4.2"
+ },
+ "engines": {
+ "node": ">=22.7.5"
}
},
"cli": {
@@ -2006,15 +2009,17 @@
"link": true
},
"node_modules/@modelcontextprotocol/sdk": {
- "version": "1.13.1",
- "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.13.1.tgz",
- "integrity": "sha512-8q6+9aF0yA39/qWT/uaIj6zTpC+Qu07DnN/lb9mjoquCJsAh6l3HyYqc9O3t2j7GilseOQOQimLg7W3By6jqvg==",
+ "version": "1.15.0",
+ "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.15.0.tgz",
+ "integrity": "sha512-67hnl/ROKdb03Vuu0YOr+baKTvf1/5YBHBm9KnZdjdAh8hjt4FRCPD5ucwxGB237sBpzlqQsLy1PFu7z/ekZ9Q==",
+ "license": "MIT",
"dependencies": {
"ajv": "^6.12.6",
"content-type": "^1.0.5",
"cors": "^2.8.5",
"cross-spawn": "^7.0.5",
"eventsource": "^3.0.2",
+ "eventsource-parser": "^3.0.0",
"express": "^5.0.1",
"express-rate-limit": "^7.5.0",
"pkce-challenge": "^5.0.0",
diff --git a/package.json b/package.json
index 5d5fe52f..cd8f2d24 100644
--- a/package.json
+++ b/package.json
@@ -47,7 +47,7 @@
"@modelcontextprotocol/inspector-cli": "^0.15.0",
"@modelcontextprotocol/inspector-client": "^0.15.0",
"@modelcontextprotocol/inspector-server": "^0.15.0",
- "@modelcontextprotocol/sdk": "^1.13.1",
+ "@modelcontextprotocol/sdk": "^1.15.0",
"concurrently": "^9.0.1",
"open": "^10.1.0",
"shell-quote": "^1.8.2",
diff --git a/server/src/index.ts b/server/src/index.ts
index 971cf158..92c4ccb1 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -3,6 +3,8 @@
import cors from "cors";
import { parseArgs } from "node:util";
import { parse as shellParseArgs } from "shell-quote";
+import https from "https";
+import fs from "fs";
import {
SSEClientTransport,
@@ -105,9 +107,11 @@ const originValidationMiddleware = (
// Default origins based on CLIENT_PORT or use environment variable
const clientPort = process.env.CLIENT_PORT || "6274";
- const defaultOrigin = `http://localhost:${clientPort}`;
+ const defaultHttpOrigin = `http://localhost:${clientPort}`;
+ const defaultHttpsOrigin = `https://localhost:${clientPort}`;
const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(",") || [
- defaultOrigin,
+ defaultHttpOrigin,
+ defaultHttpsOrigin,
];
if (origin && !allowedOrigins.includes(origin)) {
@@ -535,20 +539,79 @@ const PORT = parseInt(
);
const HOST = process.env.HOST || "localhost";
-const server = app.listen(PORT, HOST);
-server.on("listening", () => {
- console.log(`āļø Proxy server listening on ${HOST}:${PORT}`);
- if (!authDisabled) {
- console.log(
- `š Session token: ${sessionToken}\n ` +
- `Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth`,
- );
+// HTTPS configuration
+const INSPECTOR_SSL_CERT_PATH = process.env.INSPECTOR_SSL_CERT_PATH;
+const INSPECTOR_SSL_KEY_PATH = process.env.INSPECTOR_SSL_KEY_PATH;
+
+let server;
+
+if (INSPECTOR_SSL_CERT_PATH && INSPECTOR_SSL_KEY_PATH) {
+ // HTTPS server
+ try {
+ const options = {
+ cert: fs.readFileSync(INSPECTOR_SSL_CERT_PATH),
+ key: fs.readFileSync(INSPECTOR_SSL_KEY_PATH)
+ };
+ server = https.createServer(options, app);
+ server.listen(PORT, HOST);
+ server.on("listening", () => {
+ console.log(`āļø Proxy server listening on https://${HOST}:${PORT} š`);
+ if (!authDisabled) {
+ console.log(
+ `š Session token: ${sessionToken}\n ` +
+ `Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth`,
+ );
+ } else {
+ console.log(
+ `ā ļø WARNING: Authentication is disabled. This is not recommended.`,
+ );
+ }
+ });
+ } catch (error) {
+ console.error(`ā Failed to load SSL certificates: ${error instanceof Error ? error.message : String(error)}`);
+ console.log(`š Falling back to HTTP mode`);
+ server = app.listen(PORT, HOST);
+ server.on("listening", () => {
+ console.log(`āļø Proxy server listening on http://${HOST}:${PORT} (SSL fallback)`);
+ if (!authDisabled) {
+ console.log(
+ `š Session token: ${sessionToken}\n ` +
+ `Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth`,
+ );
+ } else {
+ console.log(
+ `ā ļø WARNING: Authentication is disabled. This is not recommended.`,
+ );
+ }
+ });
+ }
+} else {
+ // HTTP server (default)
+ if (!INSPECTOR_SSL_CERT_PATH && !INSPECTOR_SSL_KEY_PATH) {
+ console.log(`š No SSL certificates configured - using HTTP`);
+ console.log(`š” To enable HTTPS, set INSPECTOR_SSL_CERT_PATH and INSPECTOR_SSL_KEY_PATH environment variables`);
} else {
- console.log(
- `ā ļø WARNING: Authentication is disabled. This is not recommended.`,
- );
+ console.log(`ā ļø Incomplete SSL configuration:`);
+ if (!INSPECTOR_SSL_CERT_PATH) console.log(` Missing INSPECTOR_SSL_CERT_PATH`);
+ if (!INSPECTOR_SSL_KEY_PATH) console.log(` Missing INSPECTOR_SSL_KEY_PATH`);
+ console.log(`š Using HTTP mode`);
}
-});
+
+ server = app.listen(PORT, HOST);
+ server.on("listening", () => {
+ console.log(`āļø Proxy server listening on http://${HOST}:${PORT}`);
+ if (!authDisabled) {
+ console.log(
+ `š Session token: ${sessionToken}\n ` +
+ `Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth`,
+ );
+ } else {
+ console.log(
+ `ā ļø WARNING: Authentication is disabled. This is not recommended.`,
+ );
+ }
+ });
+}
server.on("error", (err) => {
if (err.message.includes(`EADDRINUSE`)) {
console.error(`ā Proxy Server PORT IS IN USE at port ${PORT} ā `);