The Model Context Protocol is quickly becoming the standard way AI agents talk to external tools and data sources. That also makes it a prime attack surface. A new security checklist posted on Hacker News lays out the essential controls every team should have in place before deploying an MCP server to production. With 158 upvotes and counting, it clearly struck a nerve.
MCP lets AI models call tools, query databases, and trigger actions in the real world. That power comes with serious risk if you don’t lock things down. This guide walks through all 10 controls from the checklist, with context on why each one matters.
🎯 Quick Start
What you’ll learn: How to secure an MCP server deployment using 10 battle-tested controls.
What you need: An MCP server (deployed or in development), basic understanding of API security, and access to your infrastructure configuration.
The 10 Controls, Explained
1. Never expose MCP over the public internet without mTLS or equivalent.
MCP servers aren’t web apps. Exposing them without mutual TLS means any client can connect and start invoking tools. mTLS ensures both sides prove their identity before a single message flows. If mTLS isn’t feasible, use VPN tunneling or a zero-trust proxy. No exceptions.
2. Scope every tool to the minimum necessary permissions.
An MCP tool that can read a database shouldn’t also be able to delete tables. Apply least-privilege at the tool level, not just the server level. This limits blast radius when (not if) something goes wrong. Review each tool’s access individually.
3. Validate and sanitize all inputs before they reach tool execution.
AI agents generate inputs dynamically, which means prompt injection and malformed payloads are real threats. Treat every input from an agent the same way you’d treat user input in a web form: validate type, length, format, and allowed characters before execution.
4. Log every tool invocation with the originating session context.
You can’t investigate what you didn’t record. Every tool call should generate a log entry that includes which session triggered it, what parameters were passed, and what the outcome was. This is your audit trail when things go sideways.
5. Set rate limits on both the MCP server and any downstream APIs it calls.
An autonomous agent can fire hundreds of requests per minute. Without rate limits, a single runaway loop can burn through API quotas, rack up costs, or DDoS your own infrastructure. Set limits at two layers: the MCP server itself and every external API it touches.
6. Treat agent sessions as untrusted by default. Validate intent, not just tokens.
A valid auth token doesn’t mean the request is safe. Agents can be manipulated through prompt injection to perform actions the user never intended. Build validation that checks whether the requested action makes sense in context, not just whether the caller is authenticated.
7. Separate read and write tools. Require explicit approval for write ops in sensitive contexts.
This is the principle of least surprise applied to AI. A tool that reads customer records should be a different tool from one that modifies them. For write operations in sensitive environments (production databases, financial systems), require human-in-the-loop approval.
8. Rotate credentials used by MCP servers on a defined schedule.
MCP servers hold API keys, database credentials, and service tokens. If any of those leak, the window of exposure should be as small as possible. Define a rotation schedule and automate it. Don’t wait for a breach to discover your keys haven’t changed in six months.
9. Monitor for behavioral anomalies: unusual tool chains, high-frequency calls, off-hours access.
Static rules catch known attacks. Behavioral monitoring catches the unknown ones. Watch for tool call sequences that don’t match normal patterns, sudden spikes in usage, or activity during hours when no one should be working. These are early warning signs of compromise or misuse.
10. Conduct a tool inventory review before every production deployment.
Tools accumulate. Old ones stick around. New ones get added without review. Before every deploy, audit which tools are registered, what permissions they have, and whether they’re still needed. Remove anything that isn’t actively required.
⚡ Practical Tips
- Start with controls 1, 3, and 6. These cover the most common attack vectors: unauthorized access, input manipulation, and intent spoofing.
- Automate what you can. Credential rotation (control 8) and rate limiting (control 5) should never depend on someone remembering to do them.
- Layer your defenses. No single control is sufficient. The checklist works because the controls reinforce each other.
What Comes Next
The MCP ecosystem is moving fast. As more teams connect AI agents to production systems, security frameworks like this one will become table stakes. Consider integrating these controls into your CI/CD pipeline so they’re checked automatically, not just at deploy time.
For teams building on MCP today, this checklist is a solid baseline. The full version, according to Hacker News, includes additional granular controls beyond the top 10. Worth bookmarking and revisiting as your deployment grows.