diff --git a/gnexus_creds/main.py b/gnexus_creds/main.py
index 8c9b8da..42346b7 100644
--- a/gnexus_creds/main.py
+++ b/gnexus_creds/main.py
@@ -84,7 +84,7 @@
 
         @app.get("/{path:path}", include_in_schema=False)
         async def spa_fallback(path: str) -> FileResponse:
-            if path.startswith(("api/", "auth/", "mcp/", "mcp-protocol/", "webhooks/")):
+            if path.startswith(("api/", "auth/", "mcp/", "mcp-protocol", "webhooks/")):
                 raise AppError("not_found", "Not found.", status_code=404)
             return FileResponse(FRONTEND_DIST / "index.html")
 
diff --git a/gnexus_creds/mcp_protocol.py b/gnexus_creds/mcp_protocol.py
index d489a3c..ee50045 100644
--- a/gnexus_creds/mcp_protocol.py
+++ b/gnexus_creds/mcp_protocol.py
@@ -7,6 +7,7 @@
 from mcp.server.auth.provider import AccessToken
 from mcp.server.auth.settings import AuthSettings
 from mcp.server.fastmcp import Context, FastMCP
+from mcp.server.transport_security import TransportSecuritySettings
 from sqlalchemy.orm import Session
 
 from gnexus_creds.auth import require_enabled_user
@@ -84,6 +85,9 @@
             resource_server_url=settings.mcp_resource_url,
             required_scopes=[Scope.mcp.value],
         ),
+        transport_security=TransportSecuritySettings(
+            enable_dns_rebinding_protection=False
+        ),
     )
 
     @server.tool()