fix: reject unsupported HTTP methods early in session manager

HEAD and other unsupported HTTP methods (PUT, PATCH, OPTIONS, etc.)
sent to the StreamableHTTP endpoint now return 405 Method Not Allowed
immediately in StreamableHTTPSessionManager.handle_request(), before
any transport or background server task is created.

Previously, in stateless mode, unsupported methods would flow through
the full transport lifecycle: a new StreamableHTTPServerTransport was
created, a background run_stateless_server task was spawned (starting
the message router), the 405 response was sent, and then terminate()
closed the streams while the message router was still running. This
caused a ClosedResourceError that crashed the server.

Fixes #1269

Author: Br1an67

src/mcp/server/streamable_http_manager.py

@@ -141,6 +141,26 @@ async def handle_request(self, scope: Scope, receive: Receive, send: Send) -> No
 
         Dispatches to the appropriate handler based on stateless mode.
         """
+        # Reject unsupported HTTP methods early, before creating any
+        # transport or session.  This avoids the race condition where a
+        # stateless transport is created, a background server task is
+        # spawned, the 405 response is sent, and then terminate() closes
+        # the streams while the message-router task is still running —
+        # resulting in a ClosedResourceError that kills the server.
+        # See: https://github.com/modelcontextprotocol/python-sdk/issues/1269
+        request = Request(scope, receive)
+        if request.method not in ("GET", "POST", "DELETE"):
+            response = Response(
+                content='{"error": "Method Not Allowed"}',
+                status_code=HTTPStatus.METHOD_NOT_ALLOWED,
+                headers={
+                    "Content-Type": "application/json",
+                    "Allow": "GET, POST, DELETE",
+                },
+            )
+            await response(scope, receive, send)
+            return
+
         if self._task_group is None:
             raise RuntimeError("Task group is not initialized. Make sure to use run().")
 

tests/issues/test_1269_head_request_crash.py

@@ -0,0 +1,88 @@
+"""Test for issue #1269 - FastMCP server death on client HEAD calls.
+
+HEAD (and other unsupported HTTP methods) sent to the MCP endpoint must
+return 405 Method Not Allowed without creating a transport or spawning
+background tasks.  Before the fix, such requests in stateless mode caused
+a ClosedResourceError in the message router because the transport was
+terminated while the router task was still running.
+
+See: https://github.com/modelcontextprotocol/python-sdk/issues/1269
+"""
+
+import logging
+from collections.abc import AsyncGenerator
+from contextlib import asynccontextmanager
+
+import anyio
+import httpx
+import pytest
+from starlette.applications import Starlette
+from starlette.routing import Mount
+
+from mcp.server import Server
+from mcp.server.streamable_http_manager import StreamableHTTPSessionManager
+
+
+def _create_app(*, stateless: bool) -> Starlette:
+    """Create a minimal Starlette app backed by a StreamableHTTPSessionManager."""
+    server = Server("test_head_crash")
+    session_manager = StreamableHTTPSessionManager(
+        app=server,
+        stateless=stateless,
+    )
+
+    @asynccontextmanager
+    async def lifespan(app: Starlette) -> AsyncGenerator[None, None]:
+        async with session_manager.run():
+            yield
+
+    return Starlette(
+        routes=[Mount("/", app=session_manager.handle_request)],
+        lifespan=lifespan,
+    )
+
+
+@pytest.mark.anyio
+@pytest.mark.parametrize("stateless", [True, False])
+async def test_head_request_returns_405_without_error(
+    stateless: bool,
+    caplog: pytest.LogCaptureFixture,
+) -> None:
+    """HEAD / must return 405 and must not produce ClosedResourceError."""
+    app = _create_app(stateless=stateless)
+
+    with caplog.at_level(logging.ERROR):
+        async with httpx.AsyncClient(
+            transport=httpx.ASGITransport(app=app),
+            base_url="http://testserver",
+            timeout=5.0,
+        ) as client:
+            response = await client.head("/")
+            assert response.status_code == 405
+
+        # Give any lingering background tasks a chance to log errors
+        await anyio.sleep(0.3)
+
+    # Ensure no ClosedResourceError was logged
+    for record in caplog.records:
+        msg = record.getMessage()
+        assert "ClosedResourceError" not in msg, f"ClosedResourceError found in logs: {msg}"
+        assert "Error in message router" not in msg, f"Message router error found in logs: {msg}"
+
+
+@pytest.mark.anyio
+@pytest.mark.parametrize("method", ["PUT", "PATCH", "OPTIONS"])
+async def test_unsupported_methods_return_405(method: str) -> None:
+    """Other unsupported HTTP methods also return 405 without crashing."""
+    app = _create_app(stateless=True)
+
+    async with httpx.AsyncClient(
+        transport=httpx.ASGITransport(app=app),
+        base_url="http://testserver",
+        timeout=5.0,
+    ) as client:
+        response = await client.request(method, "/")
+        assert response.status_code == 405
+        assert "GET" in response.headers.get("allow", "")
+        assert "POST" in response.headers.get("allow", "")
+        assert "DELETE" in response.headers.get("allow", "")