@@ -24,7 +24,8 @@ NEVER deploy MCP servers or clients without implementing proper security control
2424- Sanitize file paths through canonicalization
2525- Use parameterized queries for database operations
2626- Apply context-aware output encoding (SQL, shell, HTML)
27- - Treat ALL AI-generated content as untrusted input
27+ - Sanitize tool outputs: return only minimum fields, redact all PII and sensitive data
28+ - Treat ALL inputs, tool schemas, metadata, prompts, and resource content as untrusted input
2829- Deploy prompt injection detection systems
2930- Use strict JSON schemas to maintain boundaries between instructions and data
3031
@@ -50,13 +51,20 @@ NEVER deploy MCP servers or clients without implementing proper security control
5051#### HTTP Streaming Transport (Remote Servers)
5152Required security controls to implement:
5253- Payload Limits (prevent large payload and recursive payload DoS)
54+ - Rate limiting for tool calls and transport requests
5355- Client-Server Authentication/Authorization
5456- Mutual TLS Authentication
5557- TLS Encryption
5658- CORS Protection
5759- CSRF Protection
5860- Integrity Checks (prevent replay, spoofing, poisoned responses)
5961
62+ ### Secure Tool and UX Design
63+ - Create single-purpose tools with explicit boundaries; avoid "do anything" tools
64+ - Do not rely on the LLM for validation or authorization decisions
65+ - Use two-stage commit for high-impact actions: draft/preview first, explicit commit with confirmation second
66+ - Provide rollback/undo paths (draft IDs, snapshots, reversible actions) and time-bound commits when possible
67+
6068### Human-in-the-Loop
6169- Implement confirmation prompts for risky operations in your MCP server
6270- Use elicitation on MCP server side to request user confirmation of risky actions
0 commit comments