MCP Security Checklist: 10 Things to Audit Before Going to Production

MCP Security Checklist

The MCP Security Checklist is a crucial tool for ensuring the security of Model Context Protocol servers. Luca Moretti, a security expert, has identified 10 key areas to audit before going live, including secrets management, minimal permissions, and audit logs. One hard fact is that decentralized credential management is the root cause of most MCP security problems.

Why This Matters

In reality, many MCP servers are deployed without proper security audits, leading to potential security breaches and data leaks. Ideal models assume that all configurations are secure and up-to-date, but in practice, this is often not the case. The cost of a security breach can be significant, with some estimates suggesting that the average cost of a data breach is over $3 million.

Key Insights

90% of security breaches are caused by human error, such as hardcoded secrets or misconfigured permissions (Source: IBM Security).
Using a secrets manager like Janee can reduce the risk of security breaches by centralizing credential storage and providing audit logging (Example: Janee provides encrypted storage, scoped access, and credential rotation).
Pinning MCP server versions to specific releases can prevent supply chain attacks (Tool: npm or yarn can be used to pin dependencies).

Working Example

# Search for common secret patterns in MCP configs
grep -rn 'sk-\|password\|secret\|token\|api_key' ~/.config/claude/ ~/.cursor/

Practical Applications

Use Case: GitHub uses MCP servers to automate workflows, and by following this checklist, they can ensure the security of their servers and prevent potential breaches.
Pitfall: Using the same API key in development and production environments can lead to unintended access to production resources, highlighting the importance of separate credentials per environment.

References:

On This Page