6 Best Practices for Building a Secure MCP Server

Since Anthropic released the Model Context Protocol in late 2024, adoption has surged, with many companies launching their own MCP servers to help AI agents access their data. 

While this is beneficial for broadening AI’s capabilities, it also exposes these companies to significant security vulnerabilities.

Without the right precautions, MCP servers could be giving blanket access to sensitive data in emails, CRMs, file storage tools, and other applications. And even when aggressive security measures are taken, malicious actors can use tactics like prompt injection attacks to get authentication credentials. 

We’re already starting to see security incidents happen. GitHub, for example, recently experienced an MCP vulnerability that exposed private repositories.

We’ve learned through first-hand experience what it takes to build an MCP server that can withstand any security threats.

To that end, here are my top tips for building and managing MCP servers.

Ensure Security with Hard Blocks and Permission Management

The most critical security principle for MCPs is that hard blocks will always override prompts and other soft controls given to agents. While AI agents have the flexibility to decide when to call tools and what inputs to send, the tool implementations—or a hard-coded layer in front of them—ultimately prevent permission issues, as long as the user’s identity is correctly authenticated.

To ensure security, configure extensions with strict permission management from the start.

This begins with managing the permissions granted to the API keys. Tools provide an advantage here by wrapping static code and creating a controlled interface that can enforce security policies, regardless of agent behavior.

Treat API Keys Like Passwords

Rather than hard-coding keys, move all credentials out of code and configuration files into environment variables or dedicated secrets managers, such as HashiCorp Vault or AWS Secrets Manager. 

Temporary credentials provide an additional layer of security for extremely sensitive data and use cases where permanent connections aren’t necessary. In this instance, tools like AWS STS can generate short-lived tokens that expire quickly, minimizing the window of potential misuse. However, for most implementations, proper OAuth with token refresh or well-secured basic authentication can effectively address these concerns.

The key is implementing per-tool role-based access control (RBAC) with built-in permissions management systems. Give each MCP integration its own fine-grained role, scoped strictly to required permissions. A Vault policy that only allows reading access to kv/data/GitHub is infinitely safer than a root token. Your cloud provider’s native Identity and Access Management (IAM) systems can automatically enforce least-privilege access patterns.

Protect Sensitive Data with DLP and PII Detection software

MCP tools can access vast amounts of sensitive data across your organization. Without proper controls, they might inadvertently expose customer PII, financial records, or proprietary information on your product.

To address this, deploy data loss prevention (DLP) software that can inspect MCP traffic in real time. Configure DLP rules to detect and block transmission of credit card numbers, Social Security numbers, API keys, and other sensitive patterns before they leave your environment.

You should also use tools that can automatically identify and mask personal information in prompts, tool responses, and audit logs. And consider using solutions that can detect PII across various formats, including structured database fields, unstructured text, and image content through advanced techniques like OCR or NLP . 

Secure and Manage Your Dependencies

The MCP ecosystem’s rapid growth has created a Wild West of potentially untrusted binaries. Community-published servers can be backdoored, poorly maintained, or simply abandoned. When you install dependencies without verification, you run the risk of potentially executing malicious code.

Implement strict dependency management with integrity verification. Use digital signatures and checksums to ensure code hasn’t been tampered with. And follow security best practices by reusing proven authorization-checking code, writing comprehensive tests, and leveraging automated tools, such as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA), to identify vulnerabilities before they can be exploited.

Test Each Tool Rigorously

Direct injection attacks insert malicious commands into your tool invocation prompts, but indirect attacks are more subtle and potentially more dangerous. Attackers can, for example, embed malicious instructions in tool descriptions or metadata that get included in LLM prompts.

All tools should go through a rigorous approval process before deployment that combines automated testing with review by security professionals. Implement layered defense measures, including manual verification for critical operations, clear separation between system prompts and user inputs, and automated detection systems that can identify potential malicious instructions in both user prompts and tool metadata.

Monitor Security Incidents Proactively

Beyond foundational controls, teams should leverage a comprehensive security toolkit, including monitoring tool calls, user activity patterns, and outgoing URL access patterns, to detect potential security incidents before they escalate.

By deploying automated detection systems, you can identify unusual patterns in tool usage, unexpected data access attempts, or anomalous network traffic that might indicate a compromised system. Additionally, maintaining consistent logs to monitor a language model’s reasoning and outputs is crucial for tracking any unintended actions.

Making the Most of MCPs

MCP’s power comes from its ability to turn AI assistants into fully programmable agents. But that same power demands equally sophisticated security controls.

The solutions aren’t exotic; they’re extensions of proven security practices applied to this new architectural pattern. The data loss prevention software, PII redactors, and built-in permissions management systems you’re likely already using can be adapted to secure MCP servers. 

The organizations that address these vulnerabilities now will unlock MCP’s full potential safely.