MCP servers can expose powerful tools to AI clients. Treat them like automation endpoints and apply least-privilege controls.
- Run the server as a dedicated non-root user
- Limit filesystem access to specific directories
- Use read-only tools/resources when possible
- Scope API credentials to the minimum required permissions
- Separate development and production credentials
- Log tool calls and review failures or unusual activity
¶ Network and Access Controls
- Prefer local-only transports unless remote access is required
- Restrict inbound access with firewall rules or reverse proxy policy
- Add authentication if the implementation supports network exposure
- Use TLS for any remote connections
- Disable destructive tools by default
- Add approval steps for write or exec actions
- Keep prompts/resources free of secrets where possible
- Update the server implementation regularly