7 Security Patterns Every MCP Server Developer Should Follow

The MCP ecosystem is growing fast. New servers ship every week. Most of them have the same security mistakes. If you're building an MCP server -- or evaluating one to install -- here are the patterns that separate secure servers from vulnerable ones. The Trust Model You Need to Understand MCP servers are trusted by the host application (Claude, Cursor, etc.). When Claude calls your tool, it executes with your user's permissions. There's no sandbox, no privilege separation, no audit log by default. This means: a security mistake in your MCP server is a security mistake on the user's machine. Pattern 1: Validate Every Input Before Use The most common MCP vulnerability is treating tool parameters as trusted data. # VULNERABLE: path traversal class FileReader : @mcp.tool () def read_file ( self , path : str ) -> str : with open ( f " /workspace/ { path } " ) as f : return f . read () # Attacker sends: path = "../../etc/passwd" # SECURE: canonicalize and scope-check import os class FileRead