fix: 移除 DNS rebinding 防御（Bearer token 认证已足够）

src/server/app.ts

@@ -8,7 +8,6 @@ import { config } from '../config/index.js';
 import { BrowserManager, browserManager } from '../browser/manager.js';
 import { logger } from '../utils/logger.js';
 import {
-  dnsRebindingGuard,
   shutdownGuard,
   errorHandler,
   bearerAuth,
@@ -88,7 +87,6 @@ export class AppServer {
     this.app.use(express.json());
 
     // 2. Security & availability middleware
-    this.app.use(dnsRebindingGuard);
     this.app.use(shutdownGuard(() => this.shuttingDown));
 
     // 3. MCP server

src/server/middleware.ts

@@ -12,40 +12,7 @@ import { sanitizeErrorMessage } from '../utils/errors.js';
 // Allowed hosts for DNS rebinding protection
 // ---------------------------------------------------------------------------
 
-const allowedHosts = new Set<string>([
-  '127.0.0.1',
-  'localhost',
-  `127.0.0.1:${config.port}`,
-  `localhost:${config.port}`,
-]);
-
-// ---------------------------------------------------------------------------
-// 1. DNS Rebinding Guard
-// ---------------------------------------------------------------------------
-
-/**
- * Reject requests whose `Host` header does not match an expected localhost
- * value. This prevents DNS rebinding attacks from reaching the service when
- * it is bound to the loopback interface.
- */
-export function dnsRebindingGuard(
-  req: Request,
-  res: Response,
-  next: NextFunction,
-): void {
-  const host = req.headers.host;
-
-  if (!host || !allowedHosts.has(host)) {
-    logger.warn(
-      { host, ip: req.ip, method: req.method, url: req.originalUrl },
-      'DNS rebinding guard: blocked request with disallowed Host header',
-    );
-    res.status(403).json({ error: 'Forbidden' });
-    return;
-  }
-
-  next();
-}
+// DNS rebinding guard removed — Bearer token auth is sufficient
 
 // ---------------------------------------------------------------------------
 // 2. Shutdown Guard (factory)