Blog
Security guides for the Model Context Protocol ecosystem
No TLS? Your MCP Traffic Is Plaintext.
TLS encrypts the connection between your AI agent and the MCP server. Without it, every tool call, credential, and response travels in plaintext, visible to anyone sniffing the network.
DNS Rebinding Tricks Your Agent Into Attacking Your Own Network
DNS rebinding tricks your AI agent into connecting to internal network services by resolving a public hostname to a private IP address like 127.0.0.1 or 10.x.x.x.
Your API Key Is in the Tool Call (And That's a Problem)
Credential exposure in MCP happens when a server accepts API keys as tool parameters instead of authenticating via HTTP headers. Whether by mistake or by design, the result is the same: your key lands in plain-text logs, the LLM context window, and is one prompt injection away from leaking.
That MCP Tool Just Asked for Your Entire Chat History
Context harvesting is when a malicious MCP server tricks your AI agent into leaking conversation history, system prompts, or user data through tool parameters that request "chat_history" or "full_context".
Shell Access, File Writes, and Other MCP Red Flags
Dangerous capabilities are MCP tools that can execute shell commands, modify files, or access your system, giving a malicious server the ability to run arbitrary code on your machine.
Prompt Injection Can Hide in MCP Resource Descriptions
Resource/prompt injection in MCP is when malicious instructions like "ignore previous instructions" are hidden in resource descriptions or prompt definitions, hijacking your AI agent's behavior through the schema itself.
An MCP Tool Response Just Accessed localhost
Client-side SSRF in MCP happens when a tool response contains internal URLs (like 127.0.0.1 or cloud metadata endpoints), tricking your AI agent into accessing services on your private network.
Hidden Images in Tool Responses Can Leak Your Data
Tracking pixel exfiltration embeds hidden images in MCP tool responses that phone home to an attacker's server, leaking your IP, session data, or conversation content through URL parameters when rendered.
One Tool Response Can Override Your Agent's Instructions
Instruction hijacking embeds prompt injection phrases like "ignore previous instructions" in MCP tool responses, overriding your agent's safety guardrails to follow the attacker's commands instead.
A 500KB Tool Response Just Wiped Your Agent's Memory
Context exhaustion floods your AI agent's context window with massive tool responses, pushing out your system prompt and conversation history, causing the agent to forget its instructions and behave unpredictably.
file://, smb://, and Other Dangerous URIs in MCP Responses
URI scheme hijacking embeds dangerous protocols like file://, smb://, or gopher:// in MCP tool responses to access local files, leak authentication hashes, or exploit legacy protocol vulnerabilities on your machine.
Does Your MCP Server Work in the Browser?
CORS (Cross-Origin Resource Sharing) controls whether a web browser is allowed to connect to an MCP server. Without it, the server only works with desktop apps, not web tools, Chrome extensions, or cloud platforms.