fix(mcp): validate json headers, add domain check, fix empty api key header

Author: waleedlatif1

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/mcp/mcp.tsx

@@ -681,7 +681,14 @@ export function MCP({ initialServerId }: MCPProps) {
           return {
             name,
             url: config.url,
-            headers: (config.headers as Record<string, string>) || {},
+            headers:
+              typeof config.headers === 'object' && config.headers !== null
+                ? Object.fromEntries(
+                    Object.entries(config.headers).filter(
+                      (entry): entry is [string, string] => typeof entry[1] === 'string'
+                    )
+                  )
+                : {},
           }
         }
 
@@ -690,7 +697,14 @@ export function MCP({ initialServerId }: MCPProps) {
           return {
             name: '',
             url: parsed.url,
-            headers: (parsed.headers as Record<string, string>) || {},
+            headers:
+              typeof parsed.headers === 'object' && parsed.headers !== null
+                ? Object.fromEntries(
+                    Object.entries(parsed.headers).filter(
+                      (entry): entry is [string, string] => typeof entry[1] === 'string'
+                    )
+                  )
+                : {},
           }
         }
 
@@ -718,6 +732,11 @@ export function MCP({ initialServerId }: MCPProps) {
       return
     }
 
+    if (!isDomainAllowed(config.url, allowedMcpDomains)) {
+      setJsonError('Domain not permitted by server policy')
+      return
+    }
+
     setIsAddingServer(true)
     try {
       const serverConfig = {
@@ -758,7 +777,15 @@ export function MCP({ initialServerId }: MCPProps) {
     } finally {
       setIsAddingServer(false)
     }
-  }, [jsonInput, parseJsonConfig, testConnection, createServerMutation, workspaceId, resetForm])
+  }, [
+    jsonInput,
+    parseJsonConfig,
+    testConnection,
+    createServerMutation,
+    workspaceId,
+    resetForm,
+    allowedMcpDomains,
+  ])
 
   /**
    * Opens the delete confirmation dialog for an MCP server.
@@ -1620,6 +1647,10 @@ export function MCP({ initialServerId }: MCPProps) {
                           )
                           return
                         }
+                        if (!isDomainAllowed(config.url, allowedMcpDomains)) {
+                          setJsonError('Domain not permitted by server policy')
+                          return
+                        }
                         testConnection({
                           name: config.name,
                           transport: 'streamable-http',

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/workflow-mcp-servers/workflow-mcp-servers.tsx

@@ -480,7 +480,7 @@ function ServerDetailView({ workspaceId, serverId, onBack }: ServerDetailViewPro
                           try {
                             const headers: Record<string, string> = server.isPublic
                               ? {}
-                              : { 'X-API-Key': '' }
+                              : { 'X-API-Key': '{{SIM_API_KEY}}' }
                             await addToWorkspaceMutation.mutateAsync({
                               workspaceId,
                               config: {
@@ -515,7 +515,7 @@ function ServerDetailView({ workspaceId, serverId, onBack }: ServerDetailViewPro
                       </Button>
                       {!server.isPublic && (
                         <p className='text-[11px] text-[var(--text-muted)]'>
-                          After adding, set your API key in Settings &gt; MCP Tools, or{' '}
+                          Set the SIM_API_KEY environment variable, or{' '}
                           <button
                             type='button'
                             onClick={() => setShowCreateApiKeyModal(true)}