Add instructions on DNS rebinding protection, respond with json rpc message when headers invalid

[brettimus]

Two things:

1. Add a section on DNS rebinding protection in the README
2. Return valid json rpc messages when the allowedHosts or allowedOrigins parameters block a request

Adding DNS Rebinding Explanation to README

The spec and the modelcontextprotocol/sdk make several mentions of DNS rebinding attacks, especially when running locally. There is a switch in their ts sdk:

const transport = new StreamableHTTPServerTransport({
  sessionIdGenerator: () => randomUUID(),
  enableDnsRebindingProtection: true,

  allowedHosts: ['127.0.0.1', ...],
  allowedOrigins: ['https://yourdomain.com', 'https://www.yourdomain.com']
});

We support allowed hosts and allowed origins already, which should be enough, but worth adding to the README.

As a note on the modelcontextprotocol sdk, disabling the flag enableDnsRebindingProtection just neglects to check headers entirely

https://github.com/modelcontextprotocol/typescript-sdk/blob/7d29cee2ba496212b2e074592da73b7cba7bee5c/src/server/streamableHttp.ts#L178

Returning JSON RPC when origin and host headers are not allowed

The modelcontextprotocol sdk responds with a json rpc message (see below), but right now we just do an http text response of Forbidden

      res.writeHead(403).end(JSON.stringify({
        jsonrpc: "2.0",
        error: {
          code: -32000,
          message: validationError
        },
        id: null
      }));