Add wildcard pattern support for `allowed_hosts` in transport security

[enkidulan]

Description

Problem

Currently, the allowed_hosts configuration in TransportSecuritySettings only supports exact string matching link. This is too restrictive for real-world scenarios where you need to allow multiple subdomains under the same parent domain.

For example, if you want to allow app.mysite.com, api.mysite.com, admin.mysite.com, etc., you currently need to list each subdomain explicitly:

allowed_hosts=["app.mysite.com", "api.mysite.com", "admin.mysite.com", ...]

This becomes impractical when you have many subdomains or dynamic subdomain generation.

Proposed Solution

Add wildcard pattern support similar to Starlette's TrustedHostMiddleware or Django's ALLOWED_HOSTS , allowing patterns like:

• *.mysite.com - matches any subdomain of mysite.com (e.g., app.mysite.com, api.mysite.com) as well as the base domain mysite.com
• example.com:* - matches example.com with any port (already supported)

Example Usage

from mcp.server.transport_security import TransportSecuritySettings

settings = TransportSecuritySettings(
    enable_dns_rebinding_protection=True,
    allowed_hosts=["*.mysite.com", "localhost:*"],
)

I'd be happy to follow up and create a PR.

References

No response