Skip to main content

Introduction

The Secure MCP Gateway implements a comprehensive security architecture designed to protect Model Context Protocol (MCP) communications from a wide range of threats. This page provides an overview of the security model, architecture, and protection mechanisms.
Security-First Design: The gateway acts as a security layer between MCP clients (like Claude Desktop, Cursor) and MCP servers, enforcing authentication, authorization, and guardrails on all communications.

Threat Model

The Secure MCP Gateway protects against the following threat categories:

Critical Threats (Rank 1-4)

Prompt Injection

Risk Level: Critical (Rank #1)Attackers attempt to manipulate AI behavior by injecting malicious instructions through:
  • Tool descriptions containing hidden commands
  • Server metadata with instruction overrides
  • User data embedding system prompts
  • Document content with context hijacking
Mitigation: Injection attack detection, policy violation guardrails
Risk Level: Critical (Rank #2)Exploitation of OS command execution through:
  • Unsanitized parameters passed to shell commands
  • File paths with embedded shell metacharacters
  • Tool arguments containing command separators
Mitigation: Command injection detection, tool registration validation
Risk Level: Critical (Rank #4)Direct code execution in application runtime via:
  • Unsafe deserialization (pickle, YAML, JSON)
  • Template injection (Jinja2, Twig)
  • Dynamic code evaluation (eval, exec)
Mitigation: Server/tool registration guardrails, keyword detection

High-Risk Threats (Rank 5-10)

Credential Theft

Unauthorized access to:
  • Environment variables with secrets
  • Configuration files with API keys
  • Authentication tokens and sessions
Mitigation: PII detection, sensitive data masking

Path Traversal

Directory traversal attacks:
  • Reading arbitrary files (../../etc/passwd)
  • Writing to restricted locations
  • Zip slip vulnerabilities
Mitigation: Tool validation, keyword blocking

Server-Side Request Forgery

Unauthorized network access:
  • Internal network scanning
  • Cloud metadata service access
  • Bypassing network restrictions
Mitigation: OpenWorldHint validation, policy checks

Resource Exhaustion

Denial of service through:
  • Infinite loops and CPU exhaustion
  • Memory bombs and allocation attacks
  • Disk space consumption
Mitigation: Timeout management, sponge attack detection

Security Architecture

Multi-Layer Defense

The gateway implements defense-in-depth with multiple security layers:

Security Components

1

Authentication Layer

API Key Validation: Every request requires a valid gateway API key
  • Key-based authentication with project/user context
  • Secure key generation (256-character random strings)
  • Key rotation and management capabilities
Implementation: Plugin-based auth system supports local and remote validation
2

Server Registration Validation

Tool Discovery Protection: Validates MCP servers during discovery
  • Server metadata scanning for malicious patterns
  • Tool description analysis for injection attempts
  • Destructive/OpenWorld hint enforcement
Block Mode: Prevents registration of unsafe servers entirely
3

Input Guardrails

Pre-Execution Protection: Validates requests before sending to servers
  • Content analysis for threats and policy violations
  • PII detection and automatic redaction
  • Injection attack prevention
Configurable: Per-server guardrail policies with custom block lists
4

Output Guardrails

Post-Execution Protection: Validates responses before returning to client
  • All input checks plus output-specific validations
  • Relevancy and adherence checking
  • Hallucination detection
  • Automatic PII de-anonymization
Smart Restoration: PII redacted on input is restored in safe outputs

Protection Mechanisms

1. Guardrail System

The guardrail system provides real-time threat detection and prevention: 
{
  "server_name": "github_server",
  "enable_tool_guardrails": true,
  "input_guardrails_policy": {
    "enabled": true,
    "policy_name": "Sample Airline Guardrail",
    "additional_config": {
      "pii_redaction": true
    },
    "block": [
      "policy_violation",
      "injection_attack",
      "toxicity",
      "nsfw",
      "keyword_detector",
      "bias"
    ]
  },
  "output_guardrails_policy": {
    "enabled": true,
    "policy_name": "Sample Airline Guardrail",
    "additional_config": {
      "relevancy": true,
      "adherence": true,
      "hallucination": false
    },
    "block": [
      "policy_violation"
    ]
  }
}

2. Authentication & Authorization

API Key Management:
  • Unique keys per user-project combination
  • Automatic generation with high entropy
  • Secure storage and retrieval
  • Rotation capabilities
Admin API Security:
  • Separate admin API key (256-char random)
  • Bearer token authentication for REST API
  • CORS configuration for web access

3. Sensitive Data Protection

Auto-Masking: Sensitive environment variables are automatically masked in logs
# Masked patterns
sensitive_keys = [
    "token", "key", "secret", "password",
    "auth", "credential", "apikey", "api_key"
]

# Example
"AWS_SECRET_ACCESS_KEY""AWS_****_KEY"

4. Timeout Management

Operation Timeouts: Prevents resource exhaustion attacks
Operation TypeDefault TimeoutPurpose
Guardrail Validation15sPrevent DoS via guardrail API
Tool Execution60sLimit long-running tools
Discovery20sBound server discovery time
Authentication10sFast-fail auth checks
Cache Operations5sQuick cache access
Escalation Policies:
  • Warn at 80% of timeout
  • Hard timeout at 100%
  • Failure at 120% (grace period)

Fail-Safe Defaults

Security Posture: The gateway implements fail-closed defaults for security-critical operations

Fail-Closed Scenarios

  1. Guardrail API Errors: If guardrail validation fails due to API errors or timeouts, block the request
  2. Tool Registration Errors: If tool validation encounters errors, prevent tool registration
  3. Authentication Failures: If auth validation fails, reject the request
  4. Unauthorized Access: If API key validation fails with auth errors, block access

Fail-Open Scenarios

  1. Discovery Errors (non-guardrail): Allow server discovery if not using tool guardrails
  2. Cache Failures: Fall back to direct queries if cache is unavailable
  3. Telemetry Errors: Continue operation if logging/tracing fails

Security Best Practices

  1. Use Strong API Keys: Generate keys with high entropy (use built-in generator)
  2. Enable Guardrails: Always enable guardrails for external/untrusted MCP servers
  3. Configure Block Lists: Customize block lists based on your threat model
  4. Monitor Metrics: Track guardrail blocks and violations in Grafana
  5. Rotate Keys Regularly: Use secure-mcp-gateway apikey rotate periodically
  6. Review Logs: Check structured logs for security events
  7. Use External Cache: Deploy Redis/KeyDB for multi-instance setups
  8. Backup Configs: Regular backups with secure-mcp-gateway system backup
  1. Clear Tool Descriptions: Write accurate descriptions without promotional language
  2. Set Proper Annotations:
    • destructiveHint: true for any tool that modifies state
    • readOnlyHint: true only for truly read-only operations
    • openWorldHint: true if tool accesses external networks
  3. Validate Inputs: Always validate and sanitize tool parameters
  4. Avoid Dangerous Patterns: Don’t use eval, exec, pickle, or shell commands
  5. Least Privilege: Request minimum necessary permissions
  6. Document Security: Clearly document any security considerations
  1. Trust But Verify: Review MCP servers before adding to gateway
  2. Check Tool Descriptions: Look for suspicious or vague descriptions
  3. Review Permissions: Understand what destructive/openWorld tools do
  4. Report Issues: Report suspicious servers to gateway administrators
  5. Use Separate Projects: Isolate high-risk servers in dedicated projects

Security Metrics & Monitoring

Key Metrics

Guardrail Performance:
  • guardrail_blocks_total - Total requests blocked by guardrails
  • guardrail_violations_by_type - Violations by type (injection, PII, etc.)
  • guardrail_latency_ms - Guardrail evaluation time
  • pii_redactions_total - PII redaction operations
Authentication Metrics:
  • auth_failures_total - Failed authentication attempts
  • auth_latency_ms - Authentication check duration
  • active_api_keys - Number of active keys
Tool Security Metrics:
  • tool_registrations_blocked - Tools blocked during discovery
  • server_registrations_blocked - Servers blocked during validation
  • destructive_tools_executed - Destructive tool invocations

Grafana Dashboards

The gateway includes pre-built Grafana dashboards for security monitoring:
  • Security Overview: High-level security posture
  • Guardrail Performance: Detailed guardrail metrics
  • Threat Detection: Real-time threat indicators
  • Audit Trail: Complete request/response audit log

Next Steps

Guardrail Types

Explore all guardrail types and detection mechanisms

PII Handling

Learn about PII detection, redaction, and de-anonymization

Security Testing

Test your security posture with bad_mcps attack scenarios

Configuration

Configure guardrails for your MCP servers

Resources

MCP Security Top 25

Adversa.ai vulnerability ranking

JFrog RCE Research

MCP command injection vulnerability

Enkrypt Blog

How the Gateway prevents top attacks

Build docs developers (and LLMs) love

Get started for freeTalk to us