A practical, community-maintained security checklist for teams building and deploying Model Context Protocol (MCP) servers and AI agent infrastructure.
MCP is being adopted rapidly. Security guidance is lagging behind.
This checklist gives security engineers, platform teams, and technical leaders a clear, actionable baseline for securing MCP deployments — whether you're shipping an internal tool or a customer-facing AI agent.
It is not vendor-specific, complete, or a replacement for a full security review. It is a starting point.
| Checklist | Audience | Description |
|---|---|---|
| Authentication & Authorization | All | Identity, token scope, and access control |
| Input Validation & Prompt Injection | Engineers | Sanitizing inputs before tool execution |
| Tool & Resource Exposure | Engineers / Architects | Limiting blast radius of MCP tools |
| API Session Security | Platform Teams | Securing inbound sessions from agents |
| Monitoring & Observability | SecOps | What to log, alert on, and review |
| Network & Infrastructure | Platform Teams | Network-layer hardening |
| CISO Summary | CISOs / Leadership | Non-technical risk summary |
If you do nothing else, cover these:
- Never expose MCP over the public internet without mTLS or equivalent.
- Scope every tool to the minimum necessary permissions.
- Validate and sanitize all inputs before they reach tool execution.
- Log every tool invocation with the originating session context.
- Set rate limits on both the MCP server and any downstream APIs it calls.
- Treat agent sessions as untrusted by default — validate intent, not just auth tokens.
- Separate read and write tool categories; require explicit approval for write operations in sensitive contexts.
- Rotate credentials used by MCP servers on a defined schedule.
- Monitor for behavioral anomalies: unusual tool chains, high-frequency calls, off-hours access.
- Conduct a tool inventory review before every production deployment.
A JSON and YAML version of the checklist is available for integration into CI/CD pipelines, compliance tooling, or custom dashboards:
Browse the checklist in a friendlier format at: helixar-ai.github.io/mcp-security-checklist
This checklist improves through community input. If you've encountered a gap, misconfiguration, or attack pattern in real-world MCP deployments — we want to hear about it.
See CONTRIBUTING.md for how to get involved.
This checklist covers:
- MCP server deployment and configuration security
- Inbound session and API request security
- Agent-to-tool interaction surface
- Operational monitoring and detection
This checklist does not cover:
- Model weights or training pipeline security
- End-user data privacy compliance (GDPR, CCPA, etc.)
- General cloud infrastructure hardening
MIT. Use it freely. Attribution appreciated.
Maintained by the Helixar security research team. Helixar builds AI-native endpoint and API security for agentic infrastructure.