How to Secure Your MCP Server: A Practical Checklist

Based on scanning 535 MCP servers and observing 54 real attack attempts against my own server When someone asks me "how do I secure my MCP server?", I have a better answer than most — I've scanned 535 of them and watched attackers try to break mine in real time. Here's what actually matters. The Short Version 37% of MCP servers have no authentication. If yours is exposed to the internet, assume it's already being probed by AI agents — both legitimate and malicious. The fixes aren't complicated. Most deployments I've scanned are exposed because nobody thought about authentication when setting up a dev server, then it stayed that way. Checklist 1. Add Authentication (Non-Negotiable) No auth = anyone can call your tools. Your options: Bearer token : add Authorization: Bearer <token> header to all requests. Verify server-side. Minimum viable auth. API key in header : X-API-Key: <key> . Same principle, different header. OAuth 2.0 : for production deployments serving multiple clients. Adds c

How to Secure Your MCP Server: A Practical Checklist

Related Articles

Learn Something Old Every Day, Part XVIII: How Does FPU Detection Work?

“Learn to Code” Is Dead… Learn to Think Instead

How One File Makes Claude Code Actually Follow Your Instructions

LeetCode Solution: 121. Best Time to Buy and Sell Stock

The Feature Took 2 Hours to Build — and 2 Weeks to Fix

Related Articles

How-To
Learn Something Old Every Day, Part XVIII: How Does FPU Detection Work?
Lobsters • 3d ago

How-To
“Learn to Code” Is Dead… Learn to Think Instead
Medium Programming • 3d ago

How-To
How One File Makes Claude Code Actually Follow Your Instructions
Medium Programming • 3d ago

How-To
LeetCode Solution: 121. Best Time to Buy and Sell Stock
Dev.to Tutorial • 3d ago

How-To
The Feature Took 2 Hours to Build — and 2 Weeks to Fix
Medium Programming • 3d ago