MCP Security
Checklist
The practitioner's security framework for production MCP deployments.
MCP adoption is outpacing the available security guidance. Teams ship MCP servers with no authentication, no input validation, and no monitoring. The MCP Security Checklist gives engineering and security teams a structured, actionable framework to close those gaps before they become incidents.
Status
Active
Domains
7 security domains
Formats
Markdown · JSON · YAML · Web
License
MIT
Get it
git clone https://github.com/Helixar-AI/mcp-security-checklistThe Problem
Model Context Protocol is being deployed faster than the security guidance exists to support it. Teams building and shipping MCP servers are working from framework documentation that covers functionality, not security. The result is a consistent pattern of production deployments with unauthenticated tool endpoints, no prompt injection controls, and no runtime monitoring.
Enterprise security teams reviewing MCP deployments face the inverse problem: no structured framework exists to assess what "good" looks like. Without a shared vocabulary and a defined control set, every MCP security review starts from scratch.
The MCP Security Checklist provides that shared foundation: seven domains, a prioritised Top 10, and four output formats that fit into engineering workflows, SOC reviews, and executive risk reporting alike.
What It Covers
Top 10 Critical Controls
Prioritised list including mTLS enforcement, least-privilege tool scoping, input schema validation, and behavioural anomaly detection.
7 Security Domains
Structured coverage from authentication through to executive risk framing. Every domain maps to actionable controls, not guidelines.
CI/CD Integration
JSON and YAML formats designed for pipeline integration. Run checklist validation as a gate in your deployment workflow.
Four Formats
Markdown for engineers, JSON for automation, YAML for pipeline config, and an interactive web version for SOC and security teams.
The Seven Domains
Each domain contains actionable controls with implementation guidance.
Authentication & Authorisation
mTLS enforcement, token scoping, least-privilege tool access
Input Validation & Prompt Injection
Schema enforcement, injection detection, sanitisation patterns
Tool & Resource Exposure
Minimal surface area, permission boundaries, tool inventory
API Session Security
Session lifecycle, token rotation, replay prevention
Monitoring & Observability
Behavioural anomaly detection, audit trails, alerting
Network & Infrastructure
Egress controls, network segmentation, TLS configuration
Executive Risk Summary
Business risk framing, compliance mapping, escalation guidance
Get Started
Clone the repo or use the interactive web version directly.
# Clone the repository $ git clone https://github.com/Helixar-AI/mcp-security-checklist $ cd mcp-security-checklist # Available formats $ ls checklist.md # Engineer-friendly Markdown checklist.json # Automation / pipeline integration checklist.yaml # CI/CD config format docs/ # Domain documentation + guidance
More from Helixar Labs
Other open protocols and tools from the team.
Scan, harden, sign, and attest every build artifact before it ships.
Instant triage for PinchTab deployment and browser bridge exposure.
Automated 26-rule security scanner for MCP server infrastructure.
Open protocol for verifiable human delegation in agentic AI systems.
Seven domains. One checklist. Make your MCP deployment production-ready.
The MCP Security Checklist is open source, MIT licensed, and available in four formats.
Talk to Us