Security Concern

Description

Unmonitored Access

Without proper visibility, AI assistants could access or modify sensitive data without detection. A compromised prompt or malicious instruction might extract confidential information using legitimate MCP connections.

Lack of Built-in Approval Workflows

Standard MCP implementations do not include built-in approval workflows, making it challenging to enforce human-in-the-loop requirements for critical operations such as database modifications or financial transactions.

Limited Audit Trails and Monitoring

Although MCP enables powerful integrations, it doesn't inherently offer comprehensive monitoring of prompts. This can hamper security investigations and compliance reporting by leaving gaps in the recorded interactions.

Privilege Management Challenges

Managing access across multiple MCP servers with differing security needs becomes complex. Without proper controls, ensuring that every component operates with the least privilege can be difficult, increasing the risk of overexposure to sensitive operations.

Category

Best Practices / Considerations

Description / Implementation Notes

Authentication & Authorization

Adopt Standardized Protocols
- Use established protocols such as OAuth 2.0/OAuth 2.1 or OpenID Connect
- Example: Node.js service using Passport.js with an OAuth 2.0 strategy

Storing and Validating Client Credentials
- Store credentials securely using encrypted databases (e.g., CyberArk Conjur, HashiCorp Vault)

Use Secure Token Handling
- Use JWTs with expiration and token rotation
- Secure token storage (HttpOnly cookies, secure mobile storage)
- Implement token revocation mechanisms

Implement Authorization Checks
- Use Role‑Based Access Control (RBAC) and Access Control Lists (ACLs)
- Integrate middleware to enforce policies

- Standard protocols provide a secure framework for managing tokens.
- Secure storage and handling of credentials reduce the risk of exposure.
- Enforcing authorization through RBAC and ACLs ensures that only permitted users can access sensitive operations or data.

Data Security

Use TLS for Network Transport
- Configure HTTPS with valid TLS certificates (e.g., Let's Encrypt or organizational CA)
- Enforce strong cipher suites and disable outdated protocols

Sanitize Input Data
- Use input validation libraries to sanitize user inputs
- Example: Python's bleach library, JavaScript's DOMPurify

- TLS encryption protects data in transit from eavesdropping or man‑in‑the‑middle attacks.
- Sanitizing inputs prevents injection attacks and ensures data integrity.

Network Security

Implement Rate Limiting
- Use middleware or API gateways (e.g., express-rate-limit for Node.js, Nginx settings) to restrict requests per IP/client
- Consider burst control to allow short spikes

Use Appropriate Timeouts
- Set connection, read, and write timeouts on servers and clients
- Adjust settings in web server configurations

Handle DoS Scenarios
- Implement circuit breakers and throttling logic

Monitor for Unusual Patterns
- Integrate logging with SIEM tools (Splunk, Graylog, ELK)

Implement Proper Firewall Rules
- Configure network firewalls and application firewalls (WAF)
- Apply network segmentation

- Rate limiting and timeouts help mitigate resource exhaustion and DoS attacks.
- Continuous monitoring with SIEM integration assists in detecting anomalies.
- Firewall configurations and network segmentation limit the attack surface and contain potential breaches.

Category

Best Practices / Considerations

Description / Implementation Notes

Input Validation

- Validate all parameters against the schema
- Sanitize file paths and system commands
- Validate URLs and external identifiers
- Check parameter sizes and ranges
- Prevent command injection

- Use JSON Schema validators to enforce input structures.
- Sanitize and whitelist file paths and commands to avoid unintended execution.
- Ensure URLs conform to expected formats.
- Set limits on parameter sizes to prevent resource exhaustion.
- Escape or reject suspicious command inputs.

Access Control

- Implement authentication where needed
- Use appropriate authorization checks
- Audit tool usage
- Rate limit requests
- Monitor for abuse

- Use robust methods (OAuth, JWT) to authenticate users.
- Enforce role‑based access control (RBAC) for tool operations.
- Log all tool invocations with detailed context.
- Implement rate limiting to mitigate DoS attacks.
- Continuously monitor logs and usage patterns for anomalies.

Error Handling

- Don’t expose internal errors to clients
- Log security-relevant errors
- Handle timeouts appropriately
- Clean up resources after errors
- Validate return values

- Return generic error messages to prevent leakage of internal system details.
- Securely log detailed error data for investigation.
- Set proper timeout values to avoid hanging processes.
- Ensure all resources (files, connections) are properly released after errors.
- Verify that tool outputs conform to expected formats.

Area

Key Requirements

Implementation Considerations

User Consent & Control

- Users must explicitly consent to and understand all data access and operations.
- Users must retain control over what data is shared and which actions are taken.
- Implement clear UIs for reviewing and authorizing activities.

- Provide intuitive interfaces that transparently show which data is being accessed and why.
- Ensure granular consent options, allowing users to adjust permissions for different operations.

Data Privacy

- Hosts must obtain explicit user consent before exposing user data to servers.
- Hosts must not transmit resource data without user consent.
- Protect user data with appropriate access controls.

- Enforce encryption and strong access control policies to safeguard sensitive data.
- Incorporate consent workflows that prevent unauthorized data transmission, and document data flows for compliance purposes.

Tool Safety

- Tools represent arbitrary code execution and require caution.
- Hosts must obtain explicit user consent before invoking any tool.
- Users should clearly understand what each tool does before authorizing its use.

- Clearly document each tool’s functionality and potential impact to help users make informed decisions.
- Implement safeguards that restrict tool operations to pre-approved scenarios, reducing the risk of unintended code execution.

LLM Sampling Controls

- Users must explicitly approve any LLM sampling requests.
- Users should control whether sampling occurs, what prompt is sent, and what results the server can see.
- The protocol intentionally limits server visibility into prompts.

- Ensure the sampling process is transparent by exposing critical details to users before execution.
- Provide configuration options that let users set limits on data exposure, maintaining control over both input and output in LLM interactions.