No TLS? Your MCP Traffic Is Plaintext.
TLS encrypts the connection between your AI agent and the MCP server. Without it, every tool call, credential, and response travels in plaintext, visible to anyone sniffing the network.
Transport Security (TLS) is the encryption protocol that protects data moving between your AI agent and an MCP server. When an MCP server lacks TLS, every request and response, including API keys, user data, and LLM context, is sent as plaintext over the wire.
Why TLS matters for MCP
MCP servers act as bridges between AI agents and external systems. A single tool call might carry:
- >API keys passed as authentication headers
- >User conversation context forwarded by the LLM
- >Sensitive query results returned from databases or APIs
Without TLS, any network observer (a compromised router, a malicious Wi-Fi hotspot, or an ISP-level tap) can read and modify this traffic in real time.
What happens when this check fails
A failed TLS check means the MCP server is reachable over plain HTTP. This exposes your agent to:
- >Credential theft. Auth headers sent in cleartext.
- >Data exfiltration. Tool responses containing private data are visible on the wire.
- >Request tampering. An attacker can modify tool calls or inject malicious responses mid-flight.
How to fix it
- 1.Configure your MCP server to serve over HTTPS only
- 2.Use a reverse proxy (nginx, Caddy) with a valid TLS certificate
- 3.Use a platform like Vercel, Railway, or Fly.io that provides TLS by default
Do not connect your AI agent to an HTTP-only MCP endpoint in production.