Skip to content

docs: add Security Evaluation Guide for MCP servers#3926

Closed
karlmehta wants to merge 1 commit intomodelcontextprotocol:mainfrom
karlmehta:add-security-evaluation-guide
Closed

docs: add Security Evaluation Guide for MCP servers#3926
karlmehta wants to merge 1 commit intomodelcontextprotocol:mainfrom
karlmehta:add-security-evaluation-guide

Conversation

@karlmehta
Copy link
Copy Markdown

@karlmehta karlmehta commented Apr 12, 2026

Summary

Adds a SECURITY_EVALUATION.md guide that helps MCP server developers and enterprise adopters evaluate server security before production deployment.

This is a documentation improvement — not a link to an external service. The guide is framework-agnostic and practical.

What it covers

8 security dimensions with specific questions and checks:

  1. Tool Safety — Can tools cause irreversible harm? Is read-only mode available?
  2. Input Validation — SQL injection, path traversal, command injection via tool arguments
  3. Permission Scope — Does the server follow least privilege?
  4. Authentication & Secrets — How are credentials stored and rotated?
  5. Rate Limiting — Can a runaway agent exhaust resources?
  6. Audit Trail — Are tool calls logged with context?
  7. Network Isolation — SSRF protection, metadata endpoint blocking
  8. Dependency Security — CVE audit, maintenance status

Also includes:

  • A practical evaluation checklist (11 items)
  • Best practices for server developers (7 recommendations)
  • Links to MCP spec security section, OWASP LLM Top 10, NIST AI RMF

Why this is needed

MCP servers grant agents access to databases, payments, cloud infrastructure, and email. As enterprise adoption grows, teams evaluating MCP servers for production use need a structured way to assess security. This guide provides that structure.

The existing SECURITY.md covers vulnerability reporting. This new guide covers proactive security evaluation — complementary, not overlapping.

Scope

  • One new file: SECURITY_EVALUATION.md (167 lines)
  • No code changes
  • No changes to existing files
  • Referenced standards: MCP spec, OWASP, NIST (no commercial links in the guide body)

@karlmehta
docs: add Security Evaluation Guide for MCP servers
0584a15 
Framework-agnostic guide for evaluating MCP server security before
production deployment. Covers 8 dimensions: tool safety, input
validation, permission scope, authentication, rate limiting, audit
trail, network isolation, dependency security.

Includes a practical checklist and best practices for server developers.
Referenced from the existing Security section in README.
@cliffhall
Copy link
Copy Markdown
Member

cliffhall commented Apr 15, 2026

This is a reference server repo for educational purposes. We are not accepting unsolicited guide/doc additions, updates to our (now retired) community server list, Rating / badge / scoring for servers, Promotional "example" servers, or out of scope features. If you are trying to register a server, please go to https://registry.modelcontextprotocol.io

@cliffhall cliffhall closed this Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karlmehta @cliffhall