Harden HTTP defaults and improve stop-server fallback

[dsarno]

Summary

• enforce safer defaults for HTTP endpoints (LAN bind and insecure remote HTTP now explicit opt-ins)
• centralize URL policy checks and apply them in launch/start flows
• improve local server stop behavior when pidfile PID is stale by falling back to guarded heuristics
• add/update characterization tests for policy gating and URL normalization
• add a README Security section documenting these defaults

Issue Coverage

• Addresses most hardening requests from Security risks detected by Codex CoplayDev/unity-mcp#750

Validation

• Unity EditMode: 646 total, 0 failed
• Python pytest: 666 passed

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR introduces HTTP endpoint security policies with scope-aware URL normalization, enabling opt-in controls for LAN HTTP binding and insecure remote HTTP. New validation helpers enforce security policies across server management, transport initialization, and UI components, with settings persisted in EditorPrefs.

Changes

Cohort / File(s)	Summary
Security Configuration MCPForUnity/Editor/Constants/EditorPrefKeys.cs, MCPForUnity/Editor/Windows/EditorPrefs/EditorPrefsWindow.cs	Added two new EditorPrefKeys constants (AllowLanHttpBind, AllowInsecureRemoteHttp) and registered them as boolean types in the EditorPrefs window mapping.
HTTP Endpoint Policy & Validation MCPForUnity/Editor/Helpers/HttpEndpointUtility.cs	Introduced scope-aware URL normalization via remoteScope parameter; added public policy helpers (AllowLanHttpBind(), AllowInsecureRemoteHttp(), IsLoopbackHost(), IsBindAllInterfacesHost()); added URL validation methods (IsHttpLocalUrlAllowedForLaunch(), IsRemoteUrlAllowed(), IsCurrentRemoteUrlAllowed(), GetHttpLocalHostRequirementText()).
Server Management & Validation MCPForUnity/Editor/Services/ServerCommandBuilder.cs, MCPForUnity/Editor/Services/ServerManagementService.cs, MCPForUnity/Editor/Services/IServerManagementService.cs	Replaced local URL validation with HttpEndpointUtility.IsHttpLocalUrlAllowedForLaunch(); expanded IsLocalUrl() to use utility helpers; added policy checks in CanStartLocalServer(); enhanced StopLocalHttpServerInternal() logging for stale handshake and validation failures; updated XML documentation.
Transport Remote URL Enforcement MCPForUnity/Editor/Services/Transport/Transports/WebSocketTransportClient.cs	Added pre-check in StartAsync() to validate remote URL against security policy before initialization.
Advanced Settings UI MCPForUnity/Editor/Windows/Components/Advanced/McpAdvancedSection.cs, MCPForUnity/Editor/Windows/Components/Advanced/McpAdvancedSection.uxml	Added two new UI toggles (allow-lan-http-bind-toggle, allow-insecure-remote-http-toggle) with state management, tooltips, EditorPrefs persistence, and event wiring for configuration updates.
Connection Section Policy Integration MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.cs	Integrated policy checks for remote and local URLs; added dynamic tooltips reflecting policy errors; enforced policy validation before server startup and session connection.
Event Flow Integration MCPForUnity/Editor/Windows/MCPForUnityEditorWindow.cs	Modified OnHttpServerCommandUpdateRequested() to trigger both UpdateHttpServerCommandDisplay() and UpdateConnectionStatus() sequentially.
Test Coverage Expansion TestProjects/UnityMCPTests/Assets/Tests/EditMode/Services/Characterization/ServerManagementServiceCharacterizationTests.cs	Added setup/teardown for new EditorPrefs; updated IsLocalUrl_IPv6Loopback expectation; introduced new test cases for CanStartLocalServer, remote URL policy validation, and local URL launch permission checks with opt-in scenarios.

Sequence Diagram

sequenceDiagram
    participant UI as User/UI
    participant McpConn as McpConnectionSection
    participant McpAdv as McpAdvancedSection
    participant Prefs as EditorPrefs
    participant Util as HttpEndpointUtility
    participant Server as ServerManagementService
    participant Transport as WebSocketTransportClient

    UI->>McpAdv: Toggle AllowLanHttpBind/AllowInsecureRemoteHttp
    McpAdv->>Prefs: Save toggle state
    McpAdv->>McpConn: OnHttpServerCommandUpdateRequested

    UI->>McpConn: Click Start Server/Connect
    McpConn->>Util: IsHttpLocalUrlAllowedForLaunch(url)
    Util->>Prefs: Read AllowLanHttpBind
    Util-->>McpConn: Result + error message
    
    alt Local URL Allowed
        McpConn->>Server: CanStartLocalServer()
        Server->>Util: IsHttpLocalUrlAllowedForLaunch(url)
        Util->>Prefs: Read AllowLanHttpBind
        Util-->>Server: true/false
        Server-->>McpConn: true/false
        McpConn->>Server: StartLocalHttpServer()
    else Local URL Blocked
        McpConn->>UI: Show error dialog (policy violation)
    end

    UI->>McpConn: Click Connect (Remote)
    McpConn->>Util: IsCurrentRemoteUrlAllowed()
    Util->>Prefs: Read AllowInsecureRemoteHttp
    Util-->>McpConn: Result + error message

    alt Remote URL Allowed
        McpConn->>Transport: StartAsync()
        Transport->>Util: IsCurrentRemoteUrlAllowed()
        Util->>Prefs: Read AllowInsecureRemoteHttp
        Util-->>Transport: true/false
        Transport-->>McpConn: Connected
    else Remote URL Blocked
        Transport->>UI: Log error, set Disconnected state
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Fix local HTTP server lifecycle and TCP connect observation #107: Modifies StopLocalHttpServerInternal() handshake handling and related server lifecycle logging alongside this PR's enhancements to the same method.
• Http improvements #108: Shares modifications to ServerManagementService and WebSocketTransportClient alongside this PR's HTTP security policy additions and EditorPref keys.

Suggested labels

codex

Poem

🐰 A rabbit hops through HTTP streams,
With policies now guarding dreams,
LAN binds and remote HTTPS bright,
Security checks make all things right! 🔐✨

🚥 Pre-merge checks | ✅ 1 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.55% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (13 files): ⚔️ MCPForUnity/Editor/Constants/EditorPrefKeys.cs (content) ⚔️ MCPForUnity/Editor/Helpers/HttpEndpointUtility.cs (content) ⚔️ MCPForUnity/Editor/Services/IServerManagementService.cs (content) ⚔️ MCPForUnity/Editor/Services/Server/ServerCommandBuilder.cs (content) ⚔️ MCPForUnity/Editor/Services/ServerManagementService.cs (content) ⚔️ MCPForUnity/Editor/Services/Transport/Transports/WebSocketTransportClient.cs (content) ⚔️ MCPForUnity/Editor/Windows/Components/Advanced/McpAdvancedSection.cs (content) ⚔️ MCPForUnity/Editor/Windows/Components/Advanced/McpAdvancedSection.uxml (content) ⚔️ MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.cs (content) ⚔️ MCPForUnity/Editor/Windows/EditorPrefs/EditorPrefsWindow.cs (content) ⚔️ MCPForUnity/Editor/Windows/MCPForUnityEditorWindow.cs (content) ⚔️ MCPForUnity/package.json (content) ⚔️ TestProjects/UnityMCPTests/Assets/Tests/EditMode/Services/Characterization/ServerManagementServiceCharacterizationTests.cs (content) These conflicts must be resolved before merging into beta.	Resolve conflicts locally and push changes to this branch.
Description check	❓ Inconclusive	The PR description lacks the structured format required by the template, missing critical sections like Type of Change, explicit Changes Made list, Testing/Screenshots section, and Documentation Updates checklist.	Reorganize the description to follow the template structure: add explicit Type of Change, detailed Changes Made section, Testing/Screenshots section with test results formatted as evidence, and complete the Documentation Updates checklist indicating whether docs were updated per the security hardening.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: hardening HTTP defaults and improving server stop-server fallback logic, which aligns with the PR's core objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/fix/issue-750-security-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dsarno]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[greptile-apps]

Greptile Overview

Greptile Summary

Hardens HTTP endpoint security by implementing safer defaults and explicit opt-in mechanisms for potentially risky configurations. The PR centralizes URL policy validation in HttpEndpointUtility and applies these checks consistently across launch flows, connection establishment, and UI state management.

Key security improvements:

• HTTP Remote now defaults to HTTPS when users omit the scheme, preventing accidental plaintext transport
• LAN binding (0.0.0.0/::) for HTTP Local requires explicit opt-in via Advanced Settings (disabled by default)
• Insecure HTTP/WS for remote endpoints requires explicit opt-in (HTTPS/WSS required by default)
• IPv6 loopback (::1) now properly recognized as a safe local address

Server management improvements:

• Enhanced local server stop logic to detect and handle stale pidfiles gracefully
• When pidfile PID is no longer the active listener, the system now falls back to guarded port-based heuristics instead of failing
• Better error messages guide users toward enabling security opt-ins when needed

Test coverage:

• 11 new characterization tests validate security policy enforcement, URL normalization defaults, and opt-in behavior
• All tests passing (645 Unity EditMode, 666 Python pytest)

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it improves security posture through defense-in-depth and has excellent test coverage
• The changes follow secure-by-default principles, are well-tested with comprehensive characterization tests, and all validation passes. The implementation is defensive (fail-closed), backwards-compatible for existing safe configurations, and includes clear user guidance for opt-in scenarios
• No files require special attention - all changes are well-structured and properly tested

Important Files Changed

Filename	Overview
MCPForUnity/Editor/Helpers/HttpEndpointUtility.cs	Centralized HTTP security policy enforcement with new validation methods for local/remote URLs, added host detection helpers, and improved URL normalization to default remote URLs to HTTPS
MCPForUnity/Editor/Services/ServerManagementService.cs	Improved server stop behavior by falling back to port-based heuristics when pidfile PID is stale, updated IsLocalUrl() to use centralized helpers, and enhanced CanStartLocalServer() with security policy validation
MCPForUnity/Editor/Services/Transport/Transports/WebSocketTransportClient.cs	Added remote URL security policy check in ConnectAsync() to validate URLs before establishing WebSocket connections
MCPForUnity/Editor/Windows/Components/Connection/McpConnectionSection.cs	Enhanced UI to display security policy errors, disable buttons when URLs violate policies, and add validation checks before starting sessions or servers
TestProjects/UnityMCPTests/Assets/Tests/EditMode/Services/Characterization/ServerManagementServiceCharacterizationTests.cs	Added comprehensive characterization tests for new security policies including URL validation, default scheme behavior, and opt-in requirements; fixed IPv6 loopback expectation

Sequence Diagram

sequenceDiagram
    participant User
    participant UI as McpConnectionSection
    participant Util as HttpEndpointUtility
    participant Server as ServerManagementService
    participant WS as WebSocketTransportClient

    Note over User,WS: HTTP Local Launch Flow
    User->>UI: Click "Start Server"
    UI->>Util: IsHttpLocalUrlAllowedForLaunch(url)
    Util->>Util: IsLoopbackHost(host)?
    alt Loopback (localhost/127.0.0.1/::1)
        Util-->>UI: Allowed ✓
    else Bind-all (0.0.0.0/::)
        Util->>Util: AllowLanHttpBind()?
        alt Opt-in disabled
            Util-->>UI: Blocked ✗ (security policy)
            UI->>User: Show error dialog
        else Opt-in enabled
            Util-->>UI: Allowed ✓
        end
    end
    UI->>Server: StartLocalHttpServer()
    Server->>Server: Launch process

    Note over User,WS: HTTP Remote Connection Flow
    User->>UI: Click "Start Session" (HTTP Remote)
    UI->>Util: IsCurrentRemoteUrlAllowed()
    Util->>Util: Parse URL scheme
    alt HTTPS scheme
        Util-->>UI: Allowed ✓
    else HTTP scheme
        Util->>Util: AllowInsecureRemoteHttp()?
        alt Opt-in disabled
            Util-->>UI: Blocked ✗ (requires HTTPS)
            UI->>User: Show error dialog
        else Opt-in enabled
            Util-->>UI: Allowed ✓
        end
    end
    UI->>WS: ConnectAsync()
    WS->>Util: IsCurrentRemoteUrlAllowed()
    Util-->>WS: Validate again
    WS->>WS: Establish connection

    Note over Server: Server Stop with Stale PID
    Server->>Server: StopLocalHttpServer(port)
    Server->>Server: Read pidfile
    Server->>Server: Validate PID identity
    alt PID not active listener
        Server->>Server: Delete stale pidfile
        Server->>Server: Fall back to port heuristics
        Server->>Server: Stop actual listener
    else PID is listener but validation fails
        Server->>Server: Fail closed (refuse stop)
    end

Loading

_{Last reviewed commit: f423605}

[greptile-apps]

_{12 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}