Add HTTPS support for secure local development #482
Conversation
- Implement HTTPS server support for both client and proxy server - Add INSPECTOR_SSL_CERT_PATH and INSPECTOR_SSL_KEY_PATH environment variables - Include fallback to HTTP when SSL certificates are missing or invalid - Add cross-platform SSL certificate generation script - Update documentation with HTTPS configuration instructions
| Hi, I see that you have a test plan listed, did you actually test this yet or should it still be in draft mode? |
I've tested everything except the multi-platform aspects. |
| Hi @bbn! This looks exciting, but needs conflicts resolved. There have been a bunch of changes with regard to the URL and the |
cliffhall added the waiting on submitter | Hi @cliffhall ! I brought everything up to date. |
- Fix URL generation to use https:// protocol when SSL certificates are configured - Add HTTPS support to Vite dev server configuration - Pass SSL environment variables to client and server processes - Update MCP SDK to v1.13.1 to fix missing OAuth export
| It looks like you merged main, but there are changes in your PR that do not align with the current impl on main. I don't think your code is fully taking into account the MCP_PROXY_AUTH_TOKEN changes From your changes What is currently being shown |
| INSPECTOR_SSL_CERT_PATH: process.env.INSPECTOR_SSL_CERT_PATH, | ||
| INSPECTOR_SSL_KEY_PATH: process.env.INSPECTOR_SSL_KEY_PATH |
There was a problem hiding this comment.
If you have just spread process.env above, does it make any sense to explicitly spread these two variables? Will they not be included as part of ...process.env?
| server = http.createServer(requestHandler); | ||
| server.on("listening", () => { | ||
| console.log( | ||
| `🔍 MCP Inspector is up and running at http://127.0.0.1:${port} 🚀`, |
There was a problem hiding this comment.
This isn't right. Please merge main into your branch and resolve conflicts before proceeding.
Run the current version on main to see how this should be displayed. It should be localhost and it should contain the variables including MCP_PROXY_AUTH_KEY and MCP_PROXY_PORT if SERVER_PORT was set in env.
Summary
• Add HTTPS server support for both client UI and proxy server to enable secure local development
• Implement environment variable configuration with
INSPECTOR_SSL_CERT_PATHandINSPECTOR_SSL_KEY_PATH• Include automatic fallback to HTTP when SSL certificates are missing or invalid
• Add cross-platform SSL certificate generation script supporting macOS, Linux, and Windows
Motivation
OAuth flow testing requires digest security libraries that are restricted to HTTPS-only scenarios for security reasons. This enhancement enables proper OAuth testing in the MCP Inspector by providing secure HTTPS endpoints.
Test plan
./generate-ssl.sh