Blog

MCP security

mcpllm-securitytool-useprompt-injection

MCP Server Security Best Practices & Checklist (2026)

Lock down MCP servers first: tool poisoning, argument validation, least privilege, dispatcher hardening, and pre-execution policy gates.

May 27, 20267 min read

MCP servers expand capability fast, but also expand attack surface. Treat every tool argument as untrusted input and enforce policy at the execution boundary, not inside the model prompt.

MCP server security best practices (2026)

MCP expands what LLMs can touch — filesystems, APIs, payment rails, devices. Security must live at the server boundary and the execution gate, not in prompt instructions.

  • Validate every tool argument with strict schemas (types, ranges, enums).
  • Run MCP server processes with least-privilege OS and network access.
  • Review tool manifests for poisoning — hidden instructions in descriptions.
  • Gate write, delete, exec, and export tools with runtime authorization.
  • Log actor, tool name, arguments hash, and policy decision per call.
  • Rate-limit high-risk tools and alert on unusual cross-tool chains.
  • Harden dispatchers and RPC bridges — a common confused-deputy path.

Dispatcher security checklist

Dispatcher layers that route tool calls between agents and backends are a frequent blind spot. Treat dispatchers like public APIs:

  • Authenticate every inbound tool request — no implicit trust from localhost.
  • Scope credentials per agent identity, not shared service accounts.
  • Reject tool calls whose arguments fail schema validation.
  • Require runtime verification for state-changing dispatcher actions.

Key takeaways

  • Tool poisoning and indirect prompt injection are top MCP risks.
  • Least privilege and argument validation should be mandatory per tool.
  • High-risk tool classes need operator verification before execution.

Implementation checklist

  1. Validate MCP tool params with strict schemas.
  2. Restrict filesystem and network access for MCP server processes.
  3. Gate write/delete/export tools with runtime approval policies.

People also ask

What is the biggest MCP security mistake?

Trusting model-generated tool arguments as safe because they came from an AI assistant instead of a user.

Should every MCP tool require approval?

No. Require approval for high-risk actions, and allow safe read-only operations with policy constraints and rate limits.

How do you catch poisoned tool descriptions?

Combine static tool manifest review with runtime controls that do not trust tool metadata alone.

Guides: agentic AI risk · MCP security · runtime authorization · HITL approvals · coding agents · get startedMore: all posts · AI trust layer · open Sanctum Console

Give every agent action a trust boundary.

Start with Connect Agent, keep the SDK path for deeper fleets, and prove exactly what was approved, blocked, or contained.