Security checklist for MCP (Model Context Protocol) deployments

Tags

Here’s a tight, practitioner-grade checklist for securing MCP (Model Context Protocol) deployments—organized by layer. Each section points to the authoritative spec and reference SDKs so you can chase details all the way down to code.

1) Protocol & Transport (Base)

  1. Pin to a specific protocol revision (e.g., 2025-06-18) and reject clients/servers advertising unknown versions. (Model Context Protocol)
  2. Enforce strict JSON schema validation on every message (method, params, result, error) both directions. (Model Context Protocol)
  3. Require authenticated transports for non-stdio modes (Streamable HTTP / SSE / WebSocket), e.g., mTLS or OAuth2 bearer + TLS ≥1.2. (Model Context Protocol)
  4. Terminate connections on unknown/extra fields or type mismatches; fail closed. (Model Context Protocol)
  5. Bound message sizes and streaming chunk sizes; set conservative read timeouts and max in-flight requests. (Model Context Protocol)

2) Authentication & Session

  1. Prefer OAuth2/OIDC for HTTP transports; rotate/expire tokens; bind to audience & scopes. (Model Context Protocol)
  2. For stdio transports (local), verify executable provenance (signature, checksum) before launching server binaries. (Model Context Protocol)
  3. Tie sessions to a single principal; prohibit token reuse across principals; log the identity → session binding. (Model Context Protocol)
  4. On reconnect, re-authenticate (no silent session resurrection). (Model Context Protocol)
  5. Store credentials via OS keychain/KMS, never in plaintext config files. (Model Context Protocol)

3) Authorization (Least Privilege)

  1. Implement capability scoping: only expose the minimal tools/resources/prompts to a given client. (Model Context Protocol)
  2. Enforce per-tool allowed operations (read vs write vs delete; destructive actions behind explicit consent). (Model Context Protocol)
  3. Apply RBAC/ABAC: map identities → roles → permitted MCP methods. (protectai.com)
  4. Deny by default; all discovery/listing calls should filter to authorized items. (Model Context Protocol)
  5. Add policy checks on parameter values (path allowlists, URL allowlists, regex guards). (Model Context Protocol)

4) Tool Safety (Command/Action Layer)

  1. Treat tool arguments as untrusted; validate types, ranges, enums; reject ambiguous free-form strings. (Model Context Protocol)
  2. For shell/process tools, disable shell interpolation; use execve-style argv arrays; enforce time/CPU/memory limits. (Model Context Protocol)
  3. For file tools, enforce chroot-like roots (project roots), canonicalize paths, block .., symlinks, device files. (Model Context Protocol)
  4. For HTTP tools, restrict to safelisted schemes/hosts; block link-local/169.254.0.0/16/metadata; prevent SSRF and DNS rebinding. (Model Context Protocol)
  5. For database tools, parameterize queries; apply read-only roles where possible; per-table access. (Model Context Protocol)

5) Resource & Prompt Exposure

  1. Classify resources (public, internal, sensitive); never expose secrets in resource previews. (Model Context Protocol)
  2. Limit size/line counts on readResource; paginate and redact high-risk patterns (AWS keys, OAuth secrets). (Model Context Protocol)
  3. Gate write APIs (file writes, issue creation, cloud ops) behind interactive confirmation or signed intents. (Model Context Protocol)
  4. Keep prompt templates free of credentials; load them from trusted, versioned stores only. (Model Context Protocol)
  5. Don’t leak absolute filesystem paths or internal IPs in errors/results. (Model Context Protocol)

6) Prompt-Injection & Content Mediation

  1. Apply content filters to model output before turning it into a tool call; validate any tool call against policy. (Model Context Protocol)
  2. Strip/normalize model-supplied paths/URLs; compare against allowlists; require second factor for privilege escalation. (Model Context Protocol)
  3. Add execution affordances: “dry-run/plan → diff → approve → apply” for mutating tools. (Model Context Protocol)
  4. Defend against instruction smuggling: ignore model attempts to override tool safety flags/policies in arguments. (Model Context Protocol)
  5. Limit chain-of-tools depth or total mutations per session; add budget/credit quotas. (Model Context Protocol)

7) Runtime Isolation & Hardening

  1. Run servers in containers with seccomp/AppArmor and a minimal FS; drop root; read-only rootfs; tmpfs for scratch. (Red Hat)
  2. For stdio servers, launch with least privileges and a restricted PATH/ENV; scrub inherited env vars. (Model Context Protocol)
  3. Use separate service accounts per server and per environment; disable lateral movement paths. (Red Hat)
  4. Apply ulimits (files, processes), cgroup CPU/IO caps; kill long-running child processes. (Model Context Protocol)
  5. For plugin ecosystems, pin versions and verify signatures before enabling new tools. (Model Context Protocol)

8) Network Controls

  1. Default-deny egress; open only required domains/ports; split-tunnel by server role. (Red Hat)
  2. Block SMTP/FTP/peer-to-peer from tool contexts unless explicitly required; log any attempts. (Red Hat)
  3. Cache/lock DNS; prefer DoT/DoH; monitor for fast-flux/rebinding behavior. (Red Hat)
  4. For Streamable HTTP, terminate TLS at a hardened proxy; enable HTTP/2 flood protections and request rate limits. (Model Context Protocol)
  5. Instrument eBPF/Netfilter rules to tag MCP server traffic for anomaly detection. (Red Hat)

9) Logging, Audit, & Forensics

  1. Log every MCP call (who/when/what/tool/params-hash/result-hash) with privacy redaction; ship to SIEM. (Model Context Protocol)
  2. Record consent/approval events (who approved, inputs, diffs) for mutating actions. (Model Context Protocol)
  3. Preserve session transcripts with cryptographic integrity (hash chains / transparency logs). (Model Context Protocol)
  4. Emit security events (auth failure, policy block, rate-limit, sandbox breach) with severity and MITRE ATT\&CK mapping. (Red Hat)
  5. Add deterministic request IDs and correlate across client ↔ server ↔ downstream systems. (Model Context Protocol)

10) Supply Chain & Build

  1. Vendor the official TypeScript / Python MCP SDKs; pin exact versions; enable Dependabot + SLSA provenance. (GitHub)
  2. Run CI security gates (SAST/semgrep, license checks) on servers/clients; fail builds on criticals. (Red Hat)
  3. Reproducible builds for server binaries; sign artifacts; verify on deploy. (Red Hat)
  4. Fuzz test message handlers and tool param parsers (corpus from recorded traffic). (Model Context Protocol)
  5. Maintain an SBOM for each server; watch for CVEs in transitive deps of SDKs and tool adapters. (GitHub)

Code-level pointers (to dig deeper)

  • Official Spec & Security Notes – protocol structure, message types, transports, and security best practices. (Model Context Protocol)
  • Python SDK – reference implementations for stdio / SSE / Streamable HTTP transports, handlers, and auth hooks (modelcontextprotocol/python-sdk). Start at the README and mcp/server & mcp/client packages. (GitHub)
  • TypeScript SDK – schemas (schema.ts), transport adapters, and server/client scaffolds you can harden (input validation, size limits, auth interceptors). (GitHub)
  • Community clients/servers (for patterns and hardening gaps to review): streamable-HTTP examples, Slack/LinkedIn clients, git server, “awesome servers” list. (GitHub)
  • Industry security write-ups – concrete risk discussions and control recommendations to benchmark against. (Red Hat)
LinkedIn Reddit