MCP Security Checklist for Security Engineers and Developers

The Model Context Protocol now sits in front of production data, internal APIs, and developer machines at thousands of companies. That makes the MCP layer a high-value target. Researchers filed over 30 CVEs against MCP servers between January and February 2026, 43% of audited servers showed command injection bugs, and Palo Alto Unit 42 measured a 78.3% attack success rate once five servers were connected. This MCP security checklist for security engineers and developers is the short version of what to fix first, who owns each check, and how to test it.

Why MCP needs its Security checklist

MCP servers run with delegated user permissions, call chained tools, and feed model output back into the agent loop. The MCP specification itself states that security cannot be enforced at the protocol level. Every check below is an implementation decision someone owns. If no one owns it, the gap ships to production.

Developer checklist (build phase)

Each item is what the developer writing or shipping an MCP server is on the hook for.

• Input validation on every tool parameter. Treat tool args as untrusted. Reject path traversal patterns, shell metacharacters, and oversized payloads. 43% of audited servers fail this.
• OAuth 2.1 for HTTP transport. If your server speaks HTTP, no-auth is not an option. Implement OAuth 2.1 with PKCE. Bind tokens to specific audiences.
• Localhost binding by default. Bind STDIO and dev servers to 127.0.0.1. Binding to 0.0.0.0 is the CVE-2025-49596 pattern. Network exposure should be an explicit flag, never a default.
• Tool descriptions free of hidden instructions. Strip <IMPORTANT>, <system>, and prompt-like patterns from tool returns. Hash and pin descriptions at first approval.
• Session IDs from a CSPRNG. Predictable IDs lead to session hijack prompt injection across multi-server setups.
• Pinned dependencies and SBOM. mcp-remote with 437,000+ downloads was compromised through dependency drift. Pin versions. Generate an SBOM per release.
• Tool annotations set correctly. Set readOnlyHint, destructiveHint, and title on every tool. Agents use these to decide consent prompts.
• No secrets in logs or model context. Scrub tokens from error messages. Never echo a credential back into agent memory.
• Origin validation on HTTP servers. Check the Origin header. Reject cross-origin requests unless the client is on an allowlist.

Security engineer checklist (review and runtime)

This is what AppSec, red team, and platform security teams should be checking before any MCP server reaches production.

• Threat model the agent loop, not just the server:
  Map every tool call path. Flag any tool that can read secrets, write files, or hit external network.
• Inventory every MCP server
  Shadow MCP is real. Scan source repos, network egress, and dev laptops. You cannot govern what you cannot see.
• Per-client consent for proxy servers
  Confused deputy attacks work when MCP proxies share a static client ID with a third-party auth server. Per-client consent kills the auth code redirect trick.
• Test for tool poisoning before approval
  Run the server through a description scanner. Manually inspect any update that changes a tool description.
• Block auto-update without code signing
  Day 1 benign, Day 7 malicious is the rug pull pattern. Require signed releases for any server in production.
• Rate limit at the gateway
  Put an MCP gateway in front of remote servers. Apply rate limits, request size caps, and audit logging from one place.
• Isolate sessions and process boundaries
  Each session gets its own process or sandbox. No shared filesystem between sessions.
• Centralized logging with append-only integrity
  Hash chains. Logs that are easy to tamper with are useless for incident response.
• Quarterly access review on tokens and scopes
  Permissions creep. Find tokens with stale scopes and kill them.

Shared checks (both roles)

• Tool isolation between servers:
  Compromise of one server should not cascade. Researchers measured a 72.4% cascade rate across servers in the same agent.
• Short-lived scoped tokens:
  No long-lived bearer tokens. Use 15-minute access tokens with refresh.

• Sandboxed filesystem roots:
  Only expose what the tool needs. A filesystem MCP server with path traversal cost one team their WhatsApp contact database in May 2025.
• Human-in-the-loop for destructive actions.
  Anything tagged destructiveHint: true should require a user confirmation step.

Build the skill, not just the checklist

A checklist sets the floor. Real defense comes from engineers who can attack a server, read the protocol spec end-to-end, and write defenses that hold up under red team pressure. The Certified MCP Security Expert (CMCPSE) course is built for exactly that. Hands-on labs on tool poisoning, supply chain attacks, OAuth misuse, and agent loop defense. If your team is shipping MCP servers in 2026, this is the credential to back the checklist with practical skill. 

Enroll in the Certified MCP Security Expert (CMCPSE) course and build real attack and defense skill on top of these checks.

Final pass before you ship

Before any MCP server goes live, answer these five questions:

1. Who can call this server, and how is that decision enforced?
2. What is the worst thing a malicious tool description can make the agent do?
3. If this server is compromised, what is the blast radius?
4. How will I detect a compromise within 24 hours?
5. How will I roll it back?

Conclusion

MCP security is not a 2027 problem. Servers are getting hit now, CVEs are landing weekly, and the attack patterns are already public. Every item on this checklist maps to a real CVE, a real breach, or a real spec requirement that someone shipped without reading. None of them are theoretical.

Pick the five items most relevant to your stack. Assign each one an owner. Set a fix date. Then do the next five. The teams that work the checklist in this order ship safer agents than the teams chasing the latest scanner.

If you want your engineers to have audit-grade skill on MCP attack and defense, the Certified MCP Security Expert (CMCPSE) course is built for that gap. Hands-on labs, real attack scenarios, supply chain and tool poisoning under load, and a credential that proves the work. 

Enroll in the Certified MCP Security Expert (CMCPSE) course and put the checklist into the hands of engineers who can actually defend it.