Skip to content

Docs: add practical server hardening checklist to SBP#2223

Open
TheodorNEngoy wants to merge 4 commits intomodelcontextprotocol:mainfrom
TheodorNEngoy:codex/server-hardening-doc
Open

Docs: add practical server hardening checklist to SBP#2223
TheodorNEngoy wants to merge 4 commits intomodelcontextprotocol:mainfrom
TheodorNEngoy:codex/server-hardening-doc

Conversation

@TheodorNEngoy
Copy link

@TheodorNEngoy TheodorNEngoy commented Feb 7, 2026
edited
Loading

Adds a short, implementation-agnostic server hardening checklist to the Security Best Practices doc (for common real-world MCP server footguns, especially when exposed over HTTP/SSE/WebSocket).

Covers:

  • authn/authz for network-exposed servers + recommend binding loopback by default when not intentionally remote
  • browser threat model: CORS allowlisting + cookie/CSRF notes
  • DoS guards: request size limits, timeouts, rate limiting, concurrency bounds
  • least privilege: avoid shell/filesystem tools; safer command execution patterns
  • input validation and log redaction

Updated in both:

  • docs/specification/draft/basic/security_best_practices.mdx
  • docs/specification/2025-11-25/basic/security_best_practices.mdx

Docs only; no behavior changes.

@TheodorNEngoy TheodorNEngoy requested a review from a team as a code owner February 7, 2026 13:06
@localden
Copy link
Contributor

localden commented Feb 7, 2026

Thanks for the contribution, @TheodorNEngoy.

This likely should not be a separate doc. Take a look here: #2196

If there is anything missing from the SBP doc, we should add it there.

@TheodorNEngoy
Copy link
Author

TheodorNEngoy commented Feb 7, 2026

Thanks for the pointer, makes sense.

I just pushed an update that removes the standalone server-hardening tutorial + nav entry, and instead folds that checklist into the Security Best Practices doc as a short Practical Hardening Checklist (Servers) section (updated in both draft and 2025-11-25).

If you’d prefer this live elsewhere (or align wording/structure with #2196), I’m happy to adjust.

@TheodorNEngoy TheodorNEngoy changed the title Docs: add practical MCP server hardening checklist Docs: add practical server hardening checklist to SBP Feb 7, 2026
@localden
Copy link
Contributor

localden commented Feb 7, 2026
edited
Loading

Yeah, no need to modify it across two spec versions. I recommend keeping this open for now, and once #2196 merges, then just amend it with your suggestions and we can review them then. Helps avoid churn.

Also, @TheodorNEngoy - I'd recommend structuring it in a way that is similar to what SBP already does. That is - instead of having a "hardening" checklist, structured it through the threat/mitigation/mistakes frame that you already might see in the doc.

@localden localden added documentation Improvements or additions to documentation security labels Feb 7, 2026
@localden localden self-assigned this Feb 7, 2026
@TheodorNEngoy
Copy link
Author

TheodorNEngoy commented Feb 7, 2026

Makes sense.

I pushed a small follow-up to reduce churn: this PR now only touches docs/specification/2025-11-25/basic/security_best_practices.mdx (dropped the duplicate change in draft).

I’ll keep this open but pause further edits until #2196 lands; then I can rebase/amend and re-structure the additions in the same threat/mitigation/mistakes style as SBP (vs a standalone “hardening checklist”).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@localden localden

Labels

documentation Improvements or additions to documentation security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TheodorNEngoy @localden