MCP SECURITY BEST PRACTICES

Hardening Model Context Protocol for Production

The Model Context Protocol (MCP) connects AI agents to external tools and data sources. In production, an improperly configured MCP server is a direct path to credential theft, data exfiltration, and supply chain compromise. This guide covers 7 best practices for securing MCP deployments.

1. Validate all tool call parameters

Every MCP tool should validate its input parameters with a strict schema (Zod, JSON Schema, or equivalent). Without validation, an attacker can inject arbitrary arguments through prompt injection, causing tools to read sensitive files, execute unintended commands, or connect to malicious endpoints. Define exact types, ranges, and allowed values for every parameter.

2. Run MCP servers in isolated containers

Never run MCP servers on the host machine. Each server should run in its own Docker container with a read-only root filesystem, no-new-privileges flag, and a seccomp profile that restricts system calls. OpenSyber provisions each MCP server in an isolated environment with deny-by-default network rules and resource limits (CPU, memory, disk).

3. Monitor MCP config file integrity

MCP configuration files (typically mcp.json or .cursor/mcp.json) define which servers an agent connects to. An attacker who modifies this file can redirect the agent to a rogue server that intercepts all tool calls. OpenSyber monitors MCP config files every 30 seconds and alerts immediately on any unauthorized modification.

4. Restrict tool permissions to minimum scope

Each MCP tool should declare exactly which resources it needs: specific file paths, specific network domains, and specific credential names. Tools should never have blanket filesystem or network access. OpenSyber enforces this through its permissions model where tools declare access requirements in their manifest and users approve them before installation.

5. Authenticate server-to-server connections

MCP servers that connect to external APIs should use short-lived tokens with automatic rotation, not long-lived API keys. Store credentials in an encrypted vault (not environment variables or config files) and inject them at runtime. OpenSyber's credential vault provides AES-256 encryption at rest with 24-hour automatic rotation policies.

6. Log every tool invocation

Every MCP tool call should be logged with: timestamp, tool name, input parameters (redacting secrets), output summary, execution duration, and the identity of the requesting agent. These logs are essential for incident investigation and compliance. OpenSyber captures full audit trails with configurable retention from 7 days (Free) to 1 year (Enterprise).

7. Guard against tool poisoning

Tool poisoning occurs when a malicious MCP server returns crafted responses designed to manipulate the AI agent into executing harmful actions. Defenses include: validating tool outputs against expected schemas, limiting the actions an agent can take based on tool responses, and flagging unexpected patterns like base64-encoded data or URLs in tool outputs. OpenSyber's behavioral analysis monitors tool response patterns and alerts on anomalies.