The Model Context Protocol gives AI capabilities that were previously impossible, like reading local files or executing database queries. With this power comes responsibility. Security should be your top priority when configuring or building MCP servers. This guide provides comprehensive security practices to protect your systems while leveraging the full power of MCP.
Critical Security Notice
MCP servers can have significant access to your systems. A misconfigured server could expose sensitive data, allow unauthorized modifications, or create security vulnerabilities. Always review server permissions carefully and follow the practices outlined in this guide.
1. Security Overview
MCP was designed with security in mind from the ground up. Unlike giving an AI unrestricted access to your systems, MCP provides a structured, permission-based model. However, the security of your MCP deployment ultimately depends on how you configure and manage it.
Key security concepts in MCP:
- Process Isolation: Each MCP server runs as a separate process with its own permissions
- Explicit Configuration: Servers only have access to resources you explicitly configure
- Tool Approval: Clients can require user approval before executing sensitive operations
- Transport Security: Communication can be encrypted using HTTPS/TLS
2. The Sandboxing Principle
By default, MCP servers are designed to be isolated. They run as separate processes and do not share the same permissions as the main AI client unless explicitly granted. This sandboxing provides a critical security boundary.
How Sandboxing Works
When you configure an MCP server, you specify exactly what it can access. For example, a filesystem server configured with /Users/yourname/Documents can only access files within that directory – it cannot read your SSH keys, browser history, or other sensitive files.
Best Practice: Minimal Scope
Always configure servers with the smallest possible scope. If you only need to read files from a specific project folder, do not give access to your entire home directory. The narrower the scope, the smaller the potential impact of any security issue.
3. Principle of Least Privilege
The principle of least privilege states that every component should have only the minimum permissions necessary to perform its function. This is especially important for MCP servers.
Applying Least Privilege to MCP
- Database Servers: Create dedicated database users with only SELECT permissions if you only need read access
- Filesystem Servers: Limit access to specific directories, not entire drives
- API Servers: Use API keys with restricted scopes rather than admin tokens
- Cloud Servers: Use IAM roles with minimal permissions
Example: Secure PostgreSQL Configuration
-- Create a read-only user for MCP
CREATE USER mcp_reader WITH PASSWORD 'secure_password';
GRANT CONNECT ON DATABASE mydb TO mcp_reader;
GRANT USAGE ON SCHEMA public TO mcp_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO mcp_reader;
-- Prevent any write operations
REVOKE INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public FROM mcp_reader;4. Managing Secrets and Credentials
Never hardcode API keys, passwords, or other secrets in your configuration files or source code. This is one of the most common security mistakes and can lead to credential exposure.
Using Environment Variables
Pass sensitive data via the env block in your MCP configuration:
{
"mcpServers": {
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_TOKEN": "ghp_xxxxxxxxxxxx"
}
}
}
}Better: External Secret Management
For production environments, consider using a secrets manager:
- macOS Keychain: Store secrets in the system keychain and retrieve them at runtime
- 1Password CLI: Use op run to inject secrets into environment variables
- HashiCorp Vault: Enterprise-grade secret management
- AWS Secrets Manager: Cloud-native secret storage
Important: Git Security
Add your MCP configuration file to .gitignore if it contains any sensitive information. Never commit secrets to version control, even in private repositories. Consider using git-secrets or similar tools to prevent accidental commits of sensitive data.
5. Read-Only Access Patterns
When connecting to critical systems like databases or cloud infrastructure, prefer read-only permissions whenever possible. This prevents accidental or malicious modifications.
Benefits of Read-Only Access
- Prevents accidental data modification or deletion
- Limits the impact of AI hallucinations (e.g., generating invalid SQL)
- Reduces the attack surface if credentials are compromised
- Simplifies compliance and auditing
When Write Access is Needed
If your use case requires write access, implement additional safeguards:
- Use transactions that can be rolled back
- Implement approval workflows for destructive operations
- Set up automated backups before any write operations
- Log all modifications for audit purposes
6. Human-in-the-Loop Authorization
Most MCP clients, including Claude Desktop, implement a human-in-the-loop authorization flow for sensitive actions. This provides an additional layer of security by requiring explicit user approval.
How It Works
- Tool Approval: Before an AI executes a tool (especially one that writes data), the UI prompts you for confirmation
- Review Changes: If a filesystem server proposes to edit a file, you can review the diff before accepting
- Batch Approval: Some clients allow approving multiple similar operations at once
Best Practices
- Always review tool calls before approving, especially for write operations
- Be cautious of bulk approvals – review each operation individually when dealing with sensitive data
- Configure your client to require approval for all operations initially, then relax as you build trust
7. Network Security
While most MCP servers run locally using stdio transport, some scenarios require network communication. This introduces additional security considerations.
Warning: Remote Servers
Be extra cautious when connecting to remote MCP servers (over SSE/HTTP). Ensure the connection is encrypted (HTTPS) and authenticated to prevent unauthorized access to your agent capabilities. Never connect to untrusted remote servers.
Network Security Checklist
- Always use HTTPS/TLS for remote connections
- Verify server certificates to prevent man-in-the-middle attacks
- Use authentication tokens for remote servers
- Consider VPN or private networks for sensitive deployments
- Implement rate limiting to prevent abuse
8. Auditing and Monitoring
Comprehensive logging and monitoring are essential for security. They help you detect issues, investigate incidents, and maintain compliance.
What to Log
- All tool invocations with timestamps
- Parameters passed to tools (sanitize sensitive data)
- Success/failure status of operations
- User approvals and rejections
- Error messages and exceptions
Log Locations
- macOS: ~/Library/Logs/Claude/
- Windows: %APPDATA%/Claude/logs/
- Linux: ~/.config/Claude/logs/
9. Container Isolation with Docker
For maximum isolation, consider running MCP servers in Docker containers. This provides an additional security boundary and makes it easier to manage dependencies.
Benefits of Docker Isolation
- Complete filesystem isolation from the host
- Network isolation and controlled connectivity
- Resource limits (CPU, memory)
- Easy cleanup and reproducibility
For detailed instructions on running MCP servers in Docker, see our Docker Deployment Guide.
10. Security Checklist
Use this checklist to verify your MCP deployment is secure:
Conclusion
MCP is secure by design, but configuration errors can introduce risks. By following these principles – least privilege, secure credential management, sandboxing, and human oversight – you can safely leverage the full power of autonomous AI agents while protecting your systems and data.
Security is an ongoing process, not a one-time setup. Regularly review your configurations, update your servers, and stay informed about security best practices in the MCP ecosystem.