From a79d0c0f115f1d9283c096025e46420a6ffbf852 Mon Sep 17 00:00:00 2001
From: Tobias Nyholm <tobias.nyholm@gmail.com>
Date: Sat, 22 Nov 2025 22:31:07 +0100
Subject: [PATCH] Tell clients that they are allowed to use Mcp-Session-Id
 header

---
 src/Server/Transport/StreamableHttpTransport.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Server/Transport/StreamableHttpTransport.php b/src/Server/Transport/StreamableHttpTransport.php
index 32a2058..b9f088d 100644
--- a/src/Server/Transport/StreamableHttpTransport.php
+++ b/src/Server/Transport/StreamableHttpTransport.php
@@ -57,6 +57,7 @@ public function __construct(
             'Access-Control-Allow-Origin' => '*',
             'Access-Control-Allow-Methods' => 'GET, POST, DELETE, OPTIONS',
             'Access-Control-Allow-Headers' => 'Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, Authorization, Accept',
+            'Access-Control-Expose-Headers' => 'Mcp-Session-Id',
         ], $corsHeaders);
     }