Securing Your Model Context Protocol: How to Build Enterprise‑Ready MCPs with UNITONE

Model Context Protocol (MCP) servers have rapidly become the connective tissue of agentic AI. They bridge large language models (LLMs) and human users with external tools and data sources, enabling assistants to fetch information, trigger workflows and act autonomously. Think of it as building automation without learning about APIs. This capability comes with unique security risks: untrusted model inputs can become attack vectors, and every endpoint exposed by a server broadens the blast radius. Recent research shows that attackers are already exploiting these weaknesses, and CISOs and engineering leaders can’t afford to ignore themsecurityweek.com. This post examines the top vulnerabilities, offers practical defenses and shows how UnitOne’s MCP Builder helps teams build secure, enterprise‑ready servers.

Top MCP vulnerabilities you need to know

Adversa AI’s MCP Security Top 25 offers the most comprehensive snapshot of the threat landscape. Each vulnerability is ranked by impact, exploitability and prevalencesecurityweek.com. Highlights include:

• Prompt injection – The highest‑ranked risk combines critical impact with trivial exploitability. Attackers craft prompts that overwrite system instructions or trick models into performing unintended actions. This includes indirect prompt injection and instruction hijacking.
• Command injection and remote code execution – Insecure input validation allows untrusted strings to be passed directly into APIs, shell commands or SQL queries. 43 % of MCP servers are vulnerable to command injection, making input validation “mandatory”.
• Tool and schema poisoning – Malicious tool descriptors or schema definitions (sometimes called Tool Poisoning or Full Schema Poisoning) mislead models into using compromised tools. This includes dynamic output poisoning and template manipulation, which can corrupt entire tool ecosystems.
• Authentication and session flaws – Missing or weak authentication allows attackers to access endpoints without credentials. Issues such as unauthenticated access, token theft, token passthrough and session fixation are prominent. Privilege abuse and broad permissions also appear, highlighting the need for least‑privilege design.
• Configuration and deployment risks – Path traversal, configuration poisoning, configuration file exposure and cross‑tenant data exposure show that server misconfigurations can be exploited to read arbitrary files or leak sensitive data. Network binding issues (localhost bypass) and rug pull attacks illustrate supply‑chain and update risks.
• AI‑specific attacks – The list includes novel attacks such as the MCP Preference Manipulation Attack (MPMA), where adversaries alter preference drift to bias agent behaviour, and Resource Content Poisoning, where attackers inject malicious data into context resources.

These categories overlap with classic web‑security risks (input validation, broken authentication, misconfigurations), but they take on new urgency when untrusted model outputs can directly call tools. Security teams must treat MCP servers as privileged services and guard every step of the tool‑execution pipeline.

How to secure MCPs: best practices for servers and clients

Some of these attacks can be addressed by proven application‑security practices.

For MCP servers

1. Strong authentication & authorization – Enforce OAuth 2.1 or sender‑constrained tokens and validate every token. Map each tool to the minimum scopes it needs. This prevents “confused deputy” attacks where the server executes malicious requests under another client’s identity.
2. Input validation & prompt safety – Treat all model‑generated inputs as untrusted. Validate data against JSON Schema or Protobuf definitions, escape shell characters, enforce length limits and run tool executions in sandboxed containers. Require human or policy approval for high‑risk operations such as file writes or deletions.
3. Token hygiene – Use short‑lived JWTs scoped to specific audiences and never log tokens or expose them in URLs. Store secrets in secure keychains or hardware modules and rotate credentials regularly.
4. Scope management & exposure control – Audit tools for scope creep and apply least privilege on every endpoint. Separate read and write scopes and enforce deny‑by‑default policies.
5. Endpoint & tool integrity – Verify tool definitions and server endpoints with cryptographic signatures (Ed25519 or RSA) and pin package versions to detect tampering. Reject unverified endpoints or tools and alert users to unexpected changes.
6. Observability & auditing – Centralize logging of prompts, tool calls and responses. Correlate logs with client IDs and timestamps, monitor anomalies and apply rate‑limiting and cost controls.
7. Supply‑chain security – Use signed, verified packages for all components and integrate static application security testing (SAST) and software composition analysis (SCA) into CI/CD pipeliines.

For MCP clients

1. Secure discovery & trust anchoring – Verify MCP servers via signed metadata and only trust servers from vetted registries. Enforce TLS 1.2+ and mutual TLS (mTLS) for all connections.
2. Authorization & connection security – Implement OAuth 2.1 flows with PKCE and verify authorization server metadata and keys. Reject requests outside approved scopes and fail closed if validation fails.
3. Tool integrity – Validate tool definitions against schemas, require digital signatures on metadata, maintain a whitelist of trusted tools and warn users when definitions change unexpectedly.
4. Input validation & prompt safety – Validate model requests against schemas, reject unknown fields or excessively long strings and sandbox untrusted completions. Require user confirmation for high‑impact requests.
5. Token management & session integrity – Store tokens in OS keychains, use short‑lived cookies with SameSite/HttpOnly flags, bind sessions to nonces and regenerate session keys upon re‑authentication.
6. Tool use transparency & sandboxing – Display tool invocations in the UI, provide an audit dashboard of recent calls and require explicit confirmation for destructive actions. Run local operations in sandboxed environments (VMs, containers, seccomp profiles), limit file‑system access and apply layered schema checks and policy filters.
7. Sampling controls – When clients perform model completions, show the output for review, filter completions with moderation or sanitization and apply rate limits and cost caps.

These guidelines mirror the OWASP framework.

Build enterprise‑ready MCP servers with UnitOne MCP Builder

UnitOne’s open‑source MCP Builder makes it easy to transform any API into a secure MCP server through an intuitive web portal. Key features include:

• Multiple input formats – Generate servers from OpenAPI/Swagger specs, Postman collections or plain‑text API documentationgithub.com.
• Admin dashboard – A Material‑UI dashboard lets developers parse APIs, select endpoints, configure authentication and deploy servers with one click.
• Authentication support – Built‑in support for bearer tokens, API keys and OAuth 2 client credentials ensures that generated servers can enforce strong identity checks.
• Auto‑generated tools – The builder automatically creates MCP tools from API endpoints, complete with type‑safe definitions and path parameter substitution.
• One‑click deployment – Deploy and manage servers directly from the portal; environment variables are passed from your MCP client configuration.
• Best‑practice guidance – We recommend keeping the number of exposed tools under 40 for optimal performance and accuracy and group large APIs into focused servers (e.g., separate servers for users, mail, calendar, etc.).

The open‑source MCP Builder is intended for single‑user local developmentgithub.com. For organizations that require hosted or managed deployment, extended security features, team collaboration or enterprise support, UnitOne offers commercial solutions; security issues can be reported via security{at}unitone{dot}ai.

Questions every CISO or engineering leader should ask

1. Do we know our MCP attack surface? Catalogue the tools your MCP server exposes and map them to required scopes. Evaluate whether any endpoints accept unvalidated model inputs or overbroad permissions.
2. Have we implemented least privilege and token hygiene? Ensure every tool, server and client uses scoped, short‑lived tokens. Regularly rotate credentials and avoid logging secrets.
3. How are we validating inputs and outputs? Implement schema validation and sanitization at both the server and client. Use sandboxed environments for risky operations and require human oversight for destructive actions.
4. Are we verifying tools and dependencies? Adopt signed registries, verify tool metadata and integrate SAST/SCA into your CI/CD pipeline. Monitor for supply‑chain vulnerabilities and tool poisoning.
5. Do we have observability into MCP operations? Centralize logging of prompts and tool invocations, monitor anomalies and integrate with your SIEM for real‑time alerts.
6. Are our development workflows safe? When generating MCP servers, follow the builder’s recommendations on tool counts and server granularity. Avoid one giant server with hundreds of endpoints; instead split APIs into focused, manageable serversgithub.com.

MCPs are transforming how AI systems interact with the ecosystem of tools, but they also introduce novel attack surfaces. By understanding the vulnerabilities, adopting best‑practice security controls and leveraging tools like UnitOne MCP Builder, teams can build robust, enterprise‑ready MCP infrastructure. Whether you’re a CISO worried about prompt injection or a VP of Engineering looking to accelerate API integration, now is the time to harden your MCP deployments.

Try the MCP Builder on GitHub: explore the open‑source tool and build your own secure MCP server from any APIgithub.com. For hosted deployments and advanced security features, we would love to engage and learn about your challenges.