corsOrigins property

List<String> corsOrigins
final

Allowed CORS origins for HTTP transport.

Only used when transport is McpTransport.http and generateMcp is true. Controls which origins can make requests to the MCP server.

For production deployments, restrict this to specific origins to prevent CSRF attacks. For local development, '*' allows all origins.

Example:

@Server(
  transport: McpTransport.http,
  corsOrigins: ['https://myapp.example.com', 'https://admin.example.com'],
)

Defaults to '*' for backward compatibility.

Implementation

final List<String> corsOrigins;