Security

MCP in Production: Implementing the Model Context Protocol at Enterprise Scale

Aaron McBrideAaron McBride
9 min read
Secure MCP architecture diagram with enterprise integration points

MCP adoption is accelerating. One year after launch, the Model Context Protocol has become the standard for connecting AI agents to enterprise tools. Monthly SDK downloads exceed 97 million. Anthropic, OpenAI, Google, and Microsoft have all adopted it.

But adoption does not mean readiness. Many MCP servers are deployed without authentication. OAuth implementations are often misconfigured. In July 2025, CVE-2025-49596 demonstrated that a simple browser visit could compromise developer machines running MCP Inspector. The vulnerability scored 9.4 on CVSS.

This post covers Model Context Protocol implementation for production environments. Security first. Then architecture, governance, and the mistakes to avoid.

What MCP Actually Does

MCP standardizes how AI systems connect to external tools, data sources, and services. Before MCP, every integration required custom code. Now there's a common protocol.

The protocol operates over JSON-RPC 2.0. It supports two transport layers: stdio for local processes and HTTP with Server-Sent Events for remote integrations. This dual approach handles both development environments and distributed production systems.

MCP defines three primitives:

Tools — Functions that models can call to retrieve information or perform actions. Query a database. Send a Slack message. Create a file.

Resources — Data included in the model's context. Database records, file contents, images. The model reads these but doesn't execute them.

Prompts — Templates that guide how models interact with specific tools or resources. Structured instructions for consistent behavior.

The value is interoperability. An MCP-compatible client can connect to any MCP server without custom integration code. Build once, connect everywhere. That's the theory. Production reality requires more work.

MCP Architecture Components

A production MCP deployment has four core components.

MCP Client

The AI application that makes requests. Claude Desktop, VS Code extensions, custom agent applications. Clients discover available tools, request access, and invoke capabilities through the protocol.

Clients are responsible for:

  • Discovering server capabilities
  • Managing OAuth flows
  • Sending JSON-RPC requests
  • Handling responses and errors

MCP Server

The service that exposes tools, resources, and prompts. Enterprise-grade servers exist for PostgreSQL, filesystem operations, Slack, Google Drive, and dozens of other services.

Servers handle:

  • Capability exposure
  • Request validation
  • Tool execution
  • Response formatting

Authorization Server

The OAuth provider that issues access tokens. This might be your existing identity provider or a dedicated service. The authorization server authenticates clients, manages consent, and issues scoped tokens.

MCP Gateway (Production Essential)

A component that sits between clients and servers. The gateway provides centralized logging, policy enforcement, and traffic control. Native MCP logging is session-specific and insufficient for production.

Without a gateway, you lose visibility into agent behavior across your organization.

Security Requirements for Production

The MCP security surface is large. Clients, servers, network transport, and authorization all present attack vectors. Recent vulnerabilities demonstrate the risks.

Vulnerability Landscape

CVE-2025-49596 — Critical RCE in MCP Inspector. A DNS rebinding attack allowed browser-based exploits against developer machines. CVSS 9.4. Fixed in version 0.14.1.

CVE-2025-53109 and CVE-2025-53110 — Filesystem MCP Server vulnerabilities. Symlink and path traversal bypasses allowed sandbox escape. Full read/write access outside intended directories. Fixed in version 2025.7.1.

CVE-2025-52882 — Claude Code WebSocket authentication bypass. Malicious websites could connect to local WebSocket servers and execute commands. CVSS 8.8. Fixed in version 1.0.24.

The pattern is clear. Default MCP configurations assume trusted environments. Production deployments cannot.

Network Security

MCP traffic must be encrypted. TLS is non-negotiable for remote connections. For local stdio connections, consider host-based isolation.

Segment MCP infrastructure within your VPC. Dedicated subnets with strict firewall rules. Separate IAM policies. No implicit trust between MCP components and other systems.

Input Validation

Every input to MCP tools is a potential attack vector. Prompt injection can hijack agent behavior through tool arguments. Malicious content in resources can influence model reasoning.

Validate inputs at the server level. Filter for known injection patterns. Sanitize before processing. Defense in depth applies here as it does everywhere.

Implementing OAuth and Access Controls

The November 2025 MCP specification mandates OAuth 2.1 with significant security enhancements. Implementation details matter.

OAuth 2.1 Requirements

MCP servers are now officially classified as OAuth Resource Servers. This has implications for token handling and validation.

PKCE is mandatory. Clients must verify PKCE support before initiating authorization. Use the S256 code challenge method. This prevents authorization code interception attacks.

Resource Indicators are required. RFC 8707 resource indicators prevent token mis-redemption. Clients must specify the intended resource in token requests. Authorization servers issue tokens scoped to that specific server.

This prevents a malicious MCP server from using a token intended for a different server. The attack was theoretical. Now it's mitigated.

Client Identification

The November spec introduces URL-based client registration using OAuth Client ID Metadata Documents. Clients provide a URL pointing to a JSON document that describes client properties.

{
  "client_id": "https://example.com/.well-known/mcp-client.json",
  "client_name": "Example MCP Client",
  "redirect_uris": ["https://example.com/callback"],
  "grant_types": ["authorization_code"],
  "response_types": ["code"]
}

This approach allows client registration without pre-registration with authorization servers. It also creates SSRF risks if the URL is not validated. Verify client metadata document origins.

Token Management

Access tokens should be short-lived. Fifteen minutes is reasonable. Refresh tokens allow renewal without re-authentication.

Rotate tokens on suspicion. If agent behavior is anomalous, revoke tokens immediately. Investigate after.

Store tokens securely. Never embed secrets in prompts. They appear in logs, traces, and potentially in LLM provider telemetry.

Scoped Permissions

Apply least-privilege principles. An analytics agent needs read access to metrics databases. It does not need write access to production systems.

Define permission scopes that match your use cases:

  • read:database — Query access only
  • write:files — File creation and modification
  • execute:tools — Tool invocation without persistence
  • admin:config — Configuration changes (restricted)

Scope tokens to specific servers and specific capabilities. Broad permissions create broad attack surfaces.

Governance: Logging, Auditing, Sandboxing

Production MCP deployments require governance infrastructure that the protocol does not provide natively.

Logging Requirements

Native MCP logging is insufficient. Session-specific. Ephemeral. Lost when processes restart.

Deploy an MCP gateway for centralized logging. Every tool invocation should generate a structured log entry:

{
  "timestamp": "2025-12-28T14:32:15Z",
  "trace_id": "abc-123-def",
  "client_id": "analytics-agent",
  "server_id": "postgres-mcp",
  "tool": "query",
  "arguments": {"sql": "SELECT..."},
  "result_status": "success",
  "latency_ms": 145
}

Log requests, responses, errors, and timing. This creates the audit trail you need for debugging and compliance.

Metrics to Track

Request volume — Tool invocations per time window. Baselines help detect anomalies.

Error rates — Percentage of failed requests. Spikes indicate configuration issues or attacks.

Latency distribution — P50, P95, P99 response times. Degradation signals capacity problems.

Tool usage patterns — Which tools are called, in what sequences. Unusual patterns warrant investigation.

Datadog, Prometheus, and similar tools can ingest MCP metrics. Expect to build custom dashboards.

Audit Trails for Compliance

Regulated industries require audit trails. Healthcare, finance, government. MCP interactions must be traceable.

Retain logs according to your compliance requirements. Seven years for financial services is common. Encrypt logs at rest. Control access with RBAC.

Link MCP actions to user identity. When an agent acts on behalf of a user, that relationship must be preserved in logs.

Sandboxing and Isolation

MCP servers should run in isolated environments. Containers are a starting point but not sufficient for high-security workloads.

Kernel-level isolation provides stronger guarantees. Each MCP server runs in its own sandbox with a dedicated kernel. Google's Agent Sandbox enforces this for code-executing agents.

Network isolation prevents lateral movement. MCP servers should not have arbitrary network access. Whitelist specific endpoints. Block everything else.

Resource limits prevent runaway consumption. CPU, memory, and I/O quotas. An agent loop should not consume your entire cluster.

Claude Code implements OS-level isolation using bubblewrap on Linux and seatbelt on macOS. The sandbox blocks filesystem access outside designated directories and prevents network requests to non-allowed domains.

Common Implementation Mistakes

After reviewing dozens of MCP deployments, patterns emerge.

Deploying Without Authentication

The most common mistake. Default MCP server configurations accept connections from any client. In development, this is convenient. In production, it is a vulnerability.

Require authentication for all MCP endpoints. No exceptions.

Overly Broad Permissions

Agents are given administrative access "to make things work." Then they stay that way. Six months later, a support agent has production database write access because someone forgot to tighten permissions.

Start with minimal permissions. Add capabilities as needed. Review permissions quarterly.

Missing Origin Validation

CVE-2025-49596 exploited missing origin validation. The MCP Inspector accepted requests from any source. Browsers with permissive CORS settings could trigger exploits.

Validate request origins. Reject requests from unexpected sources. Configure CORS restrictively.

Insufficient Logging

Teams deploy MCP, confirm it works, then move on. When something goes wrong, there are no logs to investigate.

Logging is not optional. Deploy with full observability from day one.

Ignoring the Gateway Pattern

Direct client-to-server connections work in development. In production, you lose centralized visibility, policy enforcement, and traffic control.

Deploy a gateway. Route all MCP traffic through it. The initial complexity pays off in operational capability.

Treating Local Development as Safe

Developer machines are not safe. CVE-2025-49596 demonstrated that browsing a malicious website could compromise systems running local MCP tools.

Apply security controls to development environments. Localhost is not a security boundary.

Key Takeaways

  • MCP adoption is accelerating, but production readiness requires security work beyond default configurations.
  • OAuth 2.1 with PKCE and Resource Indicators is now mandatory. Implement it correctly or accept significant risk.
  • Deploy an MCP gateway for centralized logging, audit trails, and policy enforcement. Native MCP logging is insufficient.
  • Sandbox MCP servers with kernel-level or container-based isolation. Limit network access and resource consumption.
  • Recent vulnerabilities (CVE-2025-49596, CVE-2025-53109, CVE-2025-52882) demonstrate real attack surfaces. Apply patches promptly.
  • Start with minimal permissions and authentication everywhere. Convenience in development becomes vulnerability in production.

Conclusion

MCP provides valuable standardization for AI tool integration. The protocol itself is sound. The security risks come from deployment patterns, not protocol design.

Production MCP requires the same security discipline as any other integration point: authentication, authorization, logging, isolation, and continuous monitoring. Skip these, and you are deploying attack surface.

If your team is evaluating MCP for production, start with the security architecture. The integration work is straightforward. The security work determines whether you can trust what you build.

StencilWash builds secure agentic systems for enterprises. If you are deploying MCP at scale and need architecture guidance, contact us.

#security#mcp#model-context-protocol#enterprise#ai-infrastructure
Aaron McBride
Aaron McBride

Focused on security, resilience, and winning under pressure.

Related Posts

Autonomous Agents in Production: Architecture, Security, and When to Deploy

A technical guide to autonomous agent systems for engineering leaders. Covers architecture patterns, security requirements, observability, and decision frameworks for when agents are the right choice.

9 min read

The AI Agent Business Case: ROI Frameworks That Survive CFO Scrutiny

Build credible AI agent business cases. ROI frameworks, TCO calculations, and what finance teams actually want to see in your proposals.

9 min read

Spear-Phishing Campaign Targets Manufacturing Sales Teams: What Lancaster County Businesses Need to Know

A targeted phishing campaign is hitting manufacturing, industrial automation, and healthcare sectors. Here's how it works, why Lancaster County businesses are at risk, and what to do about it.

11 min read