Creativity · MCP — pattern

MCP Security Best Practices

MCP's power comes with risk: a compromised server, a confused-deputy tool call, or a prompt-injected resource can escalate privileges or exfiltrate data. This guide collects the best practices drawn from the MCP spec's security sections, Anthropic's writeups, and real-world lessons from 2025. Covers tool scoping, allowlist patterns, prompt injection defenses, OAuth hygiene, server identity verification, and audit logging. Read it before exposing MCP servers to production data.

MCP facts

Kind
pattern
Ecosystem
anthropic-mcp
Transports
stdio, http, sse

Capabilities

  • Scope tokens to the minimum resources each server needs
  • Filter tool outputs to strip hidden instructions before the model sees them
  • Require explicit user approval for destructive tools in the client
  • Log tool call name, arguments, caller, and outcome

Frequently asked questions

What's the main prompt-injection risk with MCP?

Resources or tool outputs can carry adversarial instructions that the model follows because it treats them as trustworthy context. Mitigate by sanitising/escaping output, showing tool results in a distinct channel, and requiring user confirmation for sensitive follow-up actions.

What auth should remote MCP servers use?

The MCP spec standardises on OAuth 2.1 with dynamic client registration. Use PKCE, short-lived access tokens, refresh tokens with rotation, and narrowly scoped permissions. Avoid static bearer tokens shared across users.

How do I stop a compromised server from exfiltrating data?

Treat each MCP server as a data egress point. Run it in a sandbox, enforce egress allowlists at the network layer, scope tokens tightly, and require user approval for tools that touch sensitive data. Rotate credentials if a server is ever suspect.

Should I trust community-maintained servers?

Review the code and supply chain the same way you'd review any third-party dependency — look at commit history, maintainer reputation, package signing, and dependency tree. Vendor or fork if you intend to run it in production.

Sources

  1. MCP security considerations — accessed 2026-04-20
  2. Anthropic — Building safe agents — accessed 2026-04-20

Related