MCP security best practices for hardening tool servers
MCP security best practices harden a Model Context Protocol server so that an AI agent calling it cannot be abused. The core controls are authenticating every connection, allow-listing only the tools an agent needs, scoping each tool to least privilege, gating high-impact actions behind human approval, validating all inputs and outputs, and logging every tool call for audit.
Independent SEO consultant & AI practitioner who builds and tests these tools.
MCP security best practices for hardening tool servers
TL;DR:
- An MCP server is the tool layer an AI agent calls, so its security determines what a hijacked agent can actually do.
- The five pillars are authentication, tool allow-listing, least-privilege scoping, human-in-the-loop, and logging.
- Least privilege is the single highest-leverage control: it contains prompt injection even when injection succeeds.
- This article supports the OWASP LLM Top 10 hub; pair it with prompt injection explained.
What is MCP security?
MCP security is the practice of hardening Model Context Protocol servers so that an agent connecting to them cannot be abused into unauthorised or destructive actions. The Model Context Protocol is an open standard, documented in the Model Context Protocol specification, that lets AI agents discover and call external tools and data sources in a uniform way. Because the MCP server is where an agent’s real-world permissions live, it is the chokepoint where you enforce security.
This maps directly onto LLM06 (Excessive Agency) in the OWASP LLM Top 10 from the OWASP GenAI Security Project. It also contains the impact of LLM01 (Prompt Injection), covered in detail in prompt injection explained.
Why do MCP servers need special hardening?
MCP servers need special hardening because they convert model text into real actions. A chatbot that is prompt-injected produces bad text; an agent with an unhardened MCP server takes bad action. The threat model assumes the agent driving the server can be hijacked by indirect prompt injection at any time. Your job is to ensure that even a fully compromised agent is constrained by the server to safe, narrow, auditable operations. This is the practical expression of least privilege, explored further in least-privilege for AI agents.
What is MCP injection?
MCP injection is a form of prompt injection where malicious instructions reach the model through a Model Context Protocol tool’s output or its description, rather than through the user’s own prompt. An attacker plants those instructions in data the agent reads or in a tool definition, causing the agent to act on attacker-controlled content as though it were a trusted instruction. Because the payload arrives via a legitimate MCP tool, output validation and least-privilege scoping are the main defences; see prompt injection explained for the underlying attack class.
How do you harden an MCP server? A numbered checklist
The following numbered list is an ordered hardening sequence. Apply every step; skipping the scoping or human-gate steps is where most real incidents originate. Specific limits below are illustrative defaults, not mandated values.
- Authenticate every connection. Require credentials or tokens for any client connecting to the server, and never expose a remote MCP server on an unauthenticated public interface. Prefer short-lived, rotatable tokens.
- Allow-list tools per agent. Expose only the tools a given agent needs for its task. A summarising agent should not see a delete-database tool. Default to deny.
- Scope each tool to least privilege. Give every tool the narrowest permission that completes its job: read-only where possible, a single resource rather than a whole account, and bounded parameters. This is the highest-leverage control.
- Separate read from write. Run read tools freely but treat write, send, payment, and delete tools as high-impact and isolate them behind stronger controls.
- Gate high-impact actions with human-in-the-loop. Require explicit human approval before any irreversible or sensitive tool call executes. Low-risk reads can proceed automatically.
- Validate all inputs. Treat tool arguments coming from the model as untrusted: enforce schemas, type checks, and bounds. Never pass model output straight into a shell, SQL query, or filesystem path.
- Sanitise and bound outputs. Validate what tools return before the agent sees it, because a tool result can itself carry an indirect injection payload.
- Enforce rate limits and quotas. Cap calls, tokens, and cost per agent to prevent unbounded consumption (LLM10) and runaway loops.
- Log every tool call. Record the caller, the tool, the arguments, and the result for every invocation, so abuse can be detected and investigated.
- Pin and verify dependencies. Use trusted, version-pinned MCP server packages and verify provenance to address supply-chain risk (LLM03).
Which MCP controls map to which risks?
The table below maps each MCP control to the OWASP risk it addresses and the failure it prevents.
| MCP control | OWASP risk addressed | Failure it prevents |
|---|---|---|
| Authentication | LLM06, LLM02 | Unauthorised clients calling tools or reading data. |
| Tool allow-listing | LLM06 | An agent reaching a dangerous tool it never needed. |
| Least-privilege scoping | LLM06, LLM01 | A hijacked agent causing wide-blast-radius damage. |
| Human-in-the-loop | LLM06, LLM09 | Irreversible actions taken on bad or fabricated output. |
| Input/output validation | LLM05, LLM01 | Injection via tool arguments or poisoned tool results. |
| Rate limits and quotas | LLM10 | Cost blowouts and denial-of-service loops. |
| Logging and monitoring | LLM10, all | Silent, undetected abuse over time. |
| Dependency pinning | LLM03 | A backdoored or tampered MCP server package. |
What is the most important MCP best practice?
Least-privilege tool scoping is the most important MCP best practice. If you can only do one thing, ensure no tool grants more access than its single task requires. This single control means that even a successful prompt injection, the attack that no input filter fully stops, produces limited harm because the agent simply lacks the permissions to do real damage. Authentication keeps strangers out; least privilege keeps insiders, including hijacked agents, contained.
The Anthropic and Claude documentation reflects this in its guidance on constrained, well-described tools, and national guidance via the CISA AI resources hub reinforces authentication, validation, and continuous monitoring as baseline controls.
Where to go next
See how MCP hardening fits the wider picture in the OWASP LLM Top 10 hub, then read prompt injection explained to understand the attack these controls contain. Operationalise the steps above with the AI agent hardening checklist and the least-privilege for AI agents guide, and browse more in the tools directory and guides library.
Frequently asked questions
What is MCP security?
MCP security is the practice of hardening Model Context Protocol servers, the tool layer AI agents call, so that compromised or injected agents cannot perform unauthorised or destructive actions through them.
What is the single most important MCP hardening control?
Least-privilege tool scoping is the highest-leverage control, because even if an agent is hijacked by prompt injection, a tool that can only perform safe, narrow actions limits the damage.
Do MCP servers need authentication?
Yes. Every MCP server should authenticate the client connecting to it and avoid exposing tools over unauthenticated or public network interfaces, especially for remote servers.
Should MCP tool calls require human approval?
High-impact or irreversible tool calls, such as deleting data, sending email, or moving money, should require human-in-the-loop approval. Low-risk read-only calls can run automatically.
How does MCP security relate to the OWASP LLM Top 10?
MCP hardening directly addresses LLM06 (Excessive Agency) and helps contain LLM01 (Prompt Injection), because the MCP layer is where an agent's permissions and tool access are enforced.