security: add request body size limit to prevent DoS

Add MaxRequestSize configuration to HTTPConfig with a default of 1MB.
Use http.MaxBytesReader to enforce the limit, returning 413 Request
Entity Too Large when exceeded.

This prevents memory exhaustion attacks where an attacker sends
arbitrarily large request bodies.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

internal/mcp/transport_http.go

@@ -19,8 +19,14 @@ type HTTPConfig struct {
 	SessionTTL     time.Duration // Session TTL (default: 30 minutes)
 	TLSCertFile    string        // TLS certificate file (optional)
 	TLSKeyFile     string        // TLS key file (optional)
+	MaxRequestSize int64         // Maximum request body size in bytes (default: 1MB)
 }
 
+const (
+	// DefaultMaxRequestSize is the default maximum request body size (1MB).
+	DefaultMaxRequestSize = 1 << 20 // 1MB
+)
+
 // HTTPTransport implements the MCP Streamable HTTP transport.
 type HTTPTransport struct {
 	server   *Server
@@ -39,6 +45,9 @@ func NewHTTPTransport(server *Server, config HTTPConfig) *HTTPTransport {
 	if config.SessionTTL == 0 {
 		config.SessionTTL = 30 * time.Minute
 	}
+	if config.MaxRequestSize == 0 {
+		config.MaxRequestSize = DefaultMaxRequestSize
+	}
 
 	return &HTTPTransport{
 		server:   server,
@@ -113,9 +122,17 @@ func (t *HTTPTransport) handleMCP(w http.ResponseWriter, r *http.Request) {
 
 // handlePost handles JSON-RPC requests.
 func (t *HTTPTransport) handlePost(w http.ResponseWriter, r *http.Request) {
+	// Limit request body size to prevent memory exhaustion attacks
+	r.Body = http.MaxBytesReader(w, r.Body, t.config.MaxRequestSize)
+
 	// Read request body
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
+		// Check if this is a size limit error
+		if err.Error() == "http: request body too large" {
+			http.Error(w, "Request body too large", http.StatusRequestEntityTooLarge)
+			return
+		}
 		http.Error(w, "Failed to read request body", http.StatusBadRequest)
 		return
 	}