Security Guide

MCP Security — Securing Model Context Protocol

Model Context Protocol (MCP) is the fastest-growing AI integration standard — and its security model has significant gaps. This guide covers the MCP threat taxonomy, authentication controls, supply chain verification, and shadow server detection.

53%

MCP servers with hardcoded secrets

78%

Without mTLS authentication

Zero

Supply chain SBOMs in the wild

MCP Threat Taxonomy

T1 — Hardcoded Secrets in MCP Server Config

API keys, database credentials, and service tokens embedded in MCP server configuration files. Commonly committed to version control or exposed in container images.

T2 — Unauthenticated Tool Invocation

MCP servers that accept tool calls without verifying caller identity. Any client with network access can invoke sensitive tools — data extraction, file write, external API calls.

T3 — Tool Poisoning via Supply Chain

Malicious MCP servers published to registries with tool descriptions designed to manipulate LLM behavior — prompt injection embedded in tool descriptions, not just tool outputs.

T4 — Shadow MCP Servers

Unauthorized MCP servers deployed by developers bypassing security review. Shadow servers create unmonitored data pathways and bypass DLP and audit controls.

Control 1: Enforce mTLS with SPIFFE Identity

Every MCP server must present a SPIFFE/X.509 certificate. Clients verify the server's SPIFFE ID against an allowed list before sending any tool calls.
RuntimeAI's MCP Gateway injects mTLS enforcement as a sidecar — no changes required to existing MCP server implementations.
Certificate rotation is automated. MCP server certificates expire every 24 hours to limit exposure from stolen credentials.

Control 2: Generate and Verify MCP SBOMs

Generate a Software Bill of Materials (SBOM) for every MCP server before it enters the registry. Include all dependencies, tool definitions, and permission scopes declared.
Verify the SBOM signature before allowing a server to handle production traffic. Unsigned or mismatched SBOMs are quarantined automatically.
Re-scan on every update — tool description changes are the most common supply chain attack vector.

Control 3: Detect Shadow MCP Servers

Deploy passive discovery that identifies any service responding to MCP protocol probes — not just registered servers.
Alert on first connection to an unregistered MCP server. Do not wait for a completed tool call before triggering investigation.
Require registration approval before a shadow server can be promoted to production. Automatic block, manual approve workflow.

See MCP Gateway in Action → Read: LiteLLM Supply Chain Attack