MCP server security checklist (2026): what to lock down first
A practical MCP hardening guide for tool poisoning, prompt injection, argument validation, and pre-execution policy gates.
MCP servers expand capability fast, but also expand attack surface. Treat every tool argument as untrusted input and enforce policy at the execution boundary, not inside the model prompt.
Key takeaways
- Tool poisoning and indirect prompt injection are top MCP risks.
- Least privilege and argument validation should be mandatory per tool.
- High-risk tool classes need operator verification before execution.
Implementation checklist
- Validate MCP tool params with strict schemas.
- Restrict filesystem and network access for MCP server processes.
- Gate write/delete/export tools with runtime approval policies.
People also ask
What is the biggest MCP security mistake?
Trusting model-generated tool arguments as safe because they came from an AI assistant instead of a user.
Should every MCP tool require approval?
No. Require approval for high-risk actions, and allow safe read-only operations with policy constraints and rate limits.
How do you catch poisoned tool descriptions?
Combine static tool manifest review with runtime controls that do not trust tool metadata alone.
Related: MCP server action gate: verify Model Context Protocol tools before execution, Indirect prompt injection defense with source-trust classification.
More: all posts · runtime trust layer · open Sanctum Console