[DOCS] Managed MCP URL-pattern docs omit `*://` scheme wildcard and hostname case matching for `deniedMcpServers`
Documentation Type
Incorrect/outdated documentation
Documentation Location
https://code.claude.com/docs/en/mcp
Section/Topic
Managed MCP configuration → Option 2: Policy-based control with allowlists and denylists → How URL-based restrictions work
Current Documentation
The docs currently say:
Each entry in the allowlist or denylist can restrict servers in three ways: 1. By server name (serverName): Matches the configured name of the server 2. By command (serverCommand): Matches the exact command and arguments used to start stdio servers 3. By URL pattern (serverUrl): Matches remote server URLs with wildcard support URL patterns support wildcards using*to match any sequence of characters. This is useful for allowing entire domains or subdomains. Wildcard examples:https://mcp.company.com/*- Allow all paths on a specific domainhttps://*.example.com/*- Allow any subdomain of example.com *http://localhost:*/*- Allow any port on localhost
What's Wrong or Missing?
This section documents serverUrl wildcard matching in general, but it does not explain two important behaviors relevant to managed MCP deny/allow rules:
A. The *:// scheme wildcard is not documented
The v2.1.129 changelog notes a fix for deniedMcpServers patterns that use a *:// scheme wildcard. The managed MCP docs currently only show https://... and http://... examples, so admins are not told that one pattern can cover multiple schemes.
B. Hostname matching behavior is underspecified
The same v2.1.129 fix refers to mixed-case hostnames, but the docs do not state whether serverUrl hostname matching is case-sensitive or normalized. That leaves policy authors without clear guidance for writing deny rules that reliably match real-world URLs.
Suggested Improvement
Add explicit guidance under "How URL-based restrictions work," for example:
Add after the wildcard examples:
*://example.com/*- Match the same host on either HTTP or HTTPS Hostname matching is case-insensitive, sohttps://EXAMPLE.com/mcpandhttps://example.com/mcpare treated the same forserverUrlmatching
Also add one denylist example that uses the scheme wildcard, such as:
{
"deniedMcpServers": [
{ "serverUrl": "*://*.untrusted.com/*" }
]
}
Impact
Medium - Makes feature difficult to understand
Additional Context
Affected Pages:
| Page | Line(s) | Context |
|------|---------|---------|
| https://code.claude.com/docs/en/mcp | 1295-1360 | serverUrl matching is described, but *:// and hostname case behavior are not documented |
Total scope: 1 page affected
Relevant changelog context: v2.1.129 includes a fix for deniedMcpServers patterns using a *:// scheme wildcard that did not match mixed-case hostnames. That behavior should be reflected in the managed MCP configuration docs.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗