Skip to content
HitKeep
Start in Cloud
Blog

HitKeep 2.4.1: MCP Reliability And Go Security Fixes

- 2 min read - 400 words
Pascale Beier
HitKeep maintainer

HitKeep 2.4.1 is a focused patch release for operators who enable the optional MCP server behind a reverse proxy. It also updates HitKeep release builds to Go 1.26.3 after govulncheck reported called vulnerabilities in the Go 1.26.2 standard library.

The release fixes MCP Streamable HTTP initialization when HitKeep listens on loopback, such as 127.0.0.1:8080, and a reverse proxy exposes the public /mcp endpoint. Valid MCP clients should now initialize through the configured public host instead of receiving a plain-text host-header 403 before HitKeep can validate the bearer token.

What changed

Section titled “What changed”
  • Reverse-proxied MCP initialization: HitKeep now validates MCP request hosts against HITKEEP_PUBLIC_URL before handing the request to the MCP Go SDK.
  • Public host support: deployments that publish /mcp at a public hostname can initialize MCP clients while keeping HitKeep bound to loopback.
  • Local development preserved: loopback hosts such as localhost, 127.0.0.1, and ::1 continue to work for local MCP clients.
  • Host validation kept explicit: unexpected hosts still receive 403 Forbidden; missing or invalid bearer tokens on valid hosts receive 401 Unauthorized.
  • No MCP schema changes: MCP tools, resources, bearer token format, API-client scopes, and dashboard API behavior are unchanged.
  • Go 1.26.3 release builds: Linux binaries, Docker images, and CI now use Go 1.26.3. This clears the standard-library govulncheck findings that affected Go 1.26.2.

Upgrade guidance

Section titled “Upgrade guidance”

Upgrade to 2.4.1 if you enable MCP and expose HitKeep through a reverse proxy, or if you want release artifacts built with Go 1.26.3.

Make sure HITKEEP_PUBLIC_URL matches the externally visible origin:

Terminal window
HITKEEP_PUBLIC_URL=https://analytics.example.com
HITKEEP_MCP_ENABLED=true
HITKEEP_MCP_PATH=/mcp

The simplest proxy setup preserves the original Host header. If your proxy rewrites the upstream Host to a loopback address, configure explicit HITKEEP_TRUSTED_PROXIES CIDRs and forward the public host with X-Forwarded-Host or the standard Forwarded header.

Read more

Section titled “Read more”
Designed & developed in Germany. Sovereign by default.