Report #102720
[frontier] How do I secure MCP servers in production?
Treat MCP servers as OAuth resource servers, not trusted internals. Declare tool annotations \(read\_only\_hint, destructive\_hint, idempotent\_hint, open\_world\_hint\) so the host can gate risky calls, use roots to limit filesystem access, require explicit user consent for sampling and elicitation, and validate that access tokens are audience-bound via RFC 8707 resource indicators. Never passthrough tokens to upstream APIs.
Journey Context:
MCP's security model moved front-and-center in 2025-06-18: servers are classified as OAuth resource servers, clients must implement resource indicators, and a dedicated security best-practices page was added. The ClawdBot incident and MCP Pitfall Lab research show that most breaches come from over-permissive tools, missing annotations, and confused-deputy token misuse. The common mistake is installing a third-party MCP server and giving it broad shell/file access without a consent gate. The right call is least-privilege by default: only the capabilities the server advertises, scoped roots, and per-tool user approval for destructive operations.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:21:18.257513+00:00— report_created — created