MCP Forge
For developers building MCP servers

Ship MCP servers that are
secure from day one.

Most MCP servers leak. mcp-audit finds the holes for free. MCP Forge Kit is the secure-by-default starter that fixes them — auth, SSRF-safe fetch, rate limiting, tests, CI.

Get the Kit — €39 Audit yours free →

The MCP ecosystem is wide open

A 2026 analysis of ~7,000 public MCP servers found most are dangerously misconfigured.

41%
require no authentication
36.7%
are SSRF-vulnerable
8.5%
use OAuth

And every server you add quietly loads its tool schemas into every request — five servers commonly burn 50–75k tokens of context before you type a word.

Step 1 — Audit, free

mcp-audit scans your MCP config and tells you exactly what's wrong. 100% local, zero dependencies, open source (MIT).

pipx install git+https://github.com/alih552/mcp-audit
mcp-audit            # auto-detects Claude Desktop, Cursor, VS Code, Windsurf
# → 7 servers · ~13,160 context tokens · score 0/100 (F)
#   ✖ HIGH  Remote server with no authentication  (internal-api)
#   ✖ HIGH  Plaintext secret in config            (github)
#   ▲ MED   Over-broad filesystem root '/Users'    (filesystem)
View on GitHub →

Step 2 — Fix it with MCP Forge Kit

A production-grade, secure-by-default MCP server starter (TypeScript). Score an A from your first commit.

What's inside

  • Bearer + HS256 JWT auth (drop-in OAuth), fail-closed in prod
  • SSRF-safe fetch — blocks private IPs, cloud metadata, DNS-rebinding
  • Token-bucket rate limiting + body-size caps + security headers
  • zod input validation on every tool
  • 21 passing tests + typecheck + GitHub Actions CI
  • Dockerfile + deploy guide (Fly / Railway / Render / VPS)
  • SECURITY.md checklist + setup guide
One-time purchase · lifetime updates · commercial license
39once
  • Full source, yours to use in unlimited projects
  • Instant download + license key via Polar
  • Ships an MCP server that passes mcp-audit at A
Buy MCP Forge Kit — €39

Secure checkout by Polar. 14-day refund if it doesn't fit.

FAQ

Is mcp-audit really free?

Yes — MIT licensed, open source, runs entirely on your machine. It never connects to your servers or sends your config anywhere.

What language is the Kit?

TypeScript, on the official @modelcontextprotocol/sdk, runs on Node 18+. Deploy with Docker or any Node host. A serverless/Cloudflare-Workers path is documented.

What exactly do I get?

The full kit source: a secure reference MCP server, the security modules (auth, rate-limit, SSRF guard, validation), 21 tests, CI, a Dockerfile + deploy guide, a SECURITY.md checklist and a setup guide. One-time payment, lifetime updates.

Refunds?

14-day no-questions refund via Polar if it isn't a fit.