The MCP Server Security Checklist (2026)
Everything a production Model Context Protocol server needs — and what most of them skip.
A 2026 analysis of ~7,000 public MCP servers found 41% require no authentication, 36.7% are SSRF-vulnerable, and only 8.5% use OAuth. If you're exposing tools to an LLM, you're exposing them to prompt injection — so the server, not the model, has to hold the line. Here's the checklist.
Audit your config in one command
Before the checklist, see where you actually stand:
pipx install git+https://github.com/alih552/mcp-audit mcp-auditmcp-audit on GitHub →
1. Authentication
- Require auth on every remote server.41% of public MCP servers accept anonymous calls. Anyone who reaches the URL can run your tools.
- Validate tokens in constant time.A naive string compare leaks the token byte-by-byte via timing. Use a constant-time comparison.
- Verify JWT signature + expiry (or use OAuth).Check the signature,
expandnbf— don't trust an unverified payload. - Fail closed.If auth isn't configured in production, the server should refuse to start — not run wide open.
2. Network & SSRF
- Never fetch a user/LLM-supplied URL naively.A tool that fetches arbitrary URLs becomes a proxy into your private network and the cloud metadata endpoint (169.254.169.254).
- Block private, loopback, link-local and CGNAT IPs.And re-resolve the host after DNS to defeat rebinding attacks.
- https only; don't follow redirects.Redirects are a classic SSRF bypass; cleartext http leaks tokens.
- Enable DNS-rebinding protection on the transport.Pin allowed hosts/origins on the Streamable HTTP transport.
3. Input & resource limits
- Validate every tool input with a schema.Bound string lengths and types — don't let unbounded input reach your logic.
- Cap request body size and outbound response size.Plus a timeout on every outbound call.
- Rate-limit per client.A token bucket per IP/token stops abuse and runaway loops.
4. Secrets & supply chain
- No secrets in the config or code.Plaintext keys in
.mcp.jsonleak via the file and its git history. Use env vars / a secret manager. - chmod 600 configs that hold secrets.A world-readable config with a token is readable by any local process.
- Pin your dependencies.Running tools via
npx -y/@latestexecutes whatever was published last — a supply-chain risk.
5. Operations
- Run behind TLS, as a non-root user.
- Security headers + a strict CORS allowlist.
- Watch your token budget.Each server loads its tool schemas into every request — five servers commonly cost 50–75k context tokens before you type a word. Disable what you don't use.
Skip the work — ship a server that passes all of this
MCP Forge Kit is a secure-by-default MCP server starter (TypeScript): bearer + JWT auth, SSRF-safe fetch, rate limiting, validation, 21 tests, CI, and a Dockerfile — scoring an A from your first commit.
Get MCP Forge Kit — €39 →