15 Research Lab -Adversarial Safety Evaluation of Frontier AI Systems

John Kearney

MCP Server Security Best Practices

December 14, 202515 Research Lab

mcp-safetydefenseguardrailstools

The Model Context Protocol is becoming the standard for connecting AI agents to tools. With adoption comes a growing attack surface. These are the security practices that matter most for MCP server deployments.

Authentication

stdio transport: Does not support authentication natively. The MCP server runs as a local process, and security depends on OS-level process isolation. This is acceptable for local development but not for production multi-tenant deployments.

SSE/HTTP transport: Must use authentication headers. Bearer tokens at minimum. OAuth 2.0 for production. Never deploy an SSE-based MCP server without authentication; it is equivalent to an unauthenticated API endpoint.

Every tool call should carry identity context. The MCP server needs to know who is making the request to enforce per-user authorization.

Transport Security

All remote MCP connections must use TLS. Verify certificates. Do not disable certificate validation in development and forget to re-enable it. Pin certificates for known servers in high-security environments.

For SSE transport, set appropriate CORS headers. Restrict origins to your application domain. A misconfigured CORS policy turns your MCP server into a tool any website can invoke.

Tool Allowlists

Not every agent should have access to every tool. Implement tool allowlists at the gateway level:

Define which tools each agent role can access
Restrict tool parameters to expected ranges and formats
Block tools with excessive capability (file system write, network access) unless explicitly required
Version-lock tool schemas so changes require explicit approval

Authensor's policy engine supports tool-level authorization rules that can be configured in YAML and evaluated at runtime.

Gateway Architecture

Never let agents connect directly to MCP servers. Route all traffic through a gateway that provides:

Authentication and identity propagation
Tool allowlist enforcement
Request and response logging
Content safety scanning (injection detection on tool descriptions and responses)
Rate limiting per agent and per user
Circuit breaking for misbehaving servers

The gateway is your enforcement point. It sees all traffic and can block malicious requests regardless of what the agent has been instructed to do.

Tool Description Hygiene

Review tool descriptions manually. Automated scanners can catch obvious injection payloads, but subtle manipulation (biasing the model toward certain behaviors through carefully worded descriptions) requires human review.

Pin and hash tool descriptions. Alert on changes. A server that modifies its descriptions after initial approval is either updating legitimately or executing a rug pull attack. Either way, you want to know.

Monitoring

Log every tool call: who made it, what tool, what parameters, what response, what timestamp. Build these into an immutable audit trail. Receipt chains (hash-linked log entries) provide tamper evidence. This is not optional for compliance-sensitive deployments.

Use the Attack Surface Mapper to enumerate your MCP server configurations and identify security gaps before attackers do.