Configure the server origin
WhenbaseUrl is set (via MCPServer constructor or MCP_URL environment variable), mcp-use automatically configures CSP:
- Widget URLs use the correct domain
- CSP includes your server domain
- Works behind proxies and custom domains
connectDomains, resourceDomains, and baseUriDomains, so you don’t need to add it manually.
Add domains for one widget
For widgets that need additional domains (APIs, CDNs, etc.), configure CSP in your widget metadata. For file-based widgets, declare CSP with camelCase keys inmetadata.csp on your exported widgetMetadata:
Your CSP domains are merged with your server’s base URL automatically. For ChatGPT, OpenAI’s required domains are also added. Use Apps SDK compatibility for ChatGPT-specific host extensions.
Add domains for every widget
UseCSP_URLS when every widget needs the same extra domains.
- MCP_URL: Base URL for widget assets and public files. Also used by the server to configure CSP.
- CSP_URLS: (Optional) Additional domains to whitelist. Supports comma-separated list. Required for static deployments where widget assets are served from different domains.
Static deployments
When widgets are served from static storage while the MCP server runs elsewhere, configure both origins:- MCP_URL: Where widget assets are stored
- MCP_SERVER_URL: Where the MCP server runs (for API calls)
- CSP_URLS: Domains for storage and API access
Verify CSP
The mcp-use Inspector provides a CSP Mode Toggle for testing:- Permissive: Relaxed CSP for debugging
- Widget-Declared: Enforces the widget’s declared CSP (production-like)
Next Steps
- MCP Apps: Widget overview and routing
- Apps SDK compatibility: ChatGPT compatibility and host extensions
- Supabase Deployment: Static deployment with CSP