MCP Security Checklist for Teams in 2026
Model Context Protocol connects LLMs to real systems. That power needs the same rigor as production APIs: least privilege, auditability, and clear boundaries between read and write tools.
1. Inventory every tool your MCP exposes
Before enabling a server in Claude Desktop, Cursor, or VS Code, list list_tools output and classify each tool as read-only, mutating, or destructive. Many incidents come from “harmless” assistants calling a delete or deploy tool.
2. Prefer remote MCP with OAuth for SaaS
For Slack, GitHub, Google Workspace, and similar systems, use official or OAuth-backed remote servers when possible so tokens rotate and scopes are explicit.
3. Scope database access to views
Never point SQL MCPs at superuser roles. Create a dedicated read-only user limited to safe views and row-level policies.
4. Separate prod and dev configs
Use different MCP server entries (or different IDE profiles) so a coding session cannot accidentally hit production URLs.
5. Monitor what the model fetches
Web fetch and scraping tools can exfiltrate internal URLs if prompts are poisoned. Combine network policies with allowlisted domains where possible.
6. Educate users on prompt injection
MCP does not magically sanitize user content. Treat untrusted web pages and tickets as untrusted code.
7. Official vs community servers
Official badges on FastMCP indicate maintained, first-party or verified publishers—use them for high-risk integrations.
8. Incident response
If a credential leaks, revoke OAuth tokens and rotate API keys before removing the MCP entry—automation may retry with cached config.
Stay up to date with curated, vetted servers on FastMCP and review each server’s install method (local vs remote) before rollout.