DnsRebindingProtection

Ktor route-scoped plugin that validates Host and Origin headers to protect against DNS rebinding attacks.

Install on a route to intercept all requests before handlers:

route("/mcp") {
    install(DnsRebindingProtection) {
        allowedHosts = listOf("myapp.com", "localhost")
    }
    // handlers...
}