MCP Server Security Standard#
The MCP Server Security Standard (MSSS) is an open, vendor-neutral security standard for Model Context Protocol (MCP) servers.
Quick Access#
- Latest Version - Current development version
- Stable Release v0.1.0 - January 2026
About MSSS#
This standard provides a comprehensive framework with 23 security controls organized into 8 security domains to help you build secure MCP servers.
Security Controls#
The following table lists all security controls defined in the MCP Server Security Standard:
| Control ID | Domain | Description | Documentation |
|---|---|---|---|
| MCP-FS-01 | Filesystem | Path Allowlisting and Canonical Resolution | View |
| MCP-FS-02 | Filesystem | Symlink Resolution Validation | View |
| MCP-FS-03 | Filesystem | Filesystem Sandboxing | View |
| MCP-EXEC-01 | Process Execution | Prohibition of Shell Execution | View |
| MCP-EXEC-02 | Process Execution | Command Allowlisting | View |
| MCP-EXEC-03 | Process Execution | Argument Separator Usage | View |
| MCP-NET-01 | Network Access | URL Validation and Sanitization | View |
| MCP-NET-02 | Network Access | Egress Filtering and Allowlisting | View |
| MCP-NET-03 | Network Access | TLS Enforcement | View |
| MCP-AUTHZ-01 | Authorization | OAuth Delegation | View |
| MCP-AUTHZ-02 | Authorization | Tool Scopes | View |
| MCP-AUTHZ-03 | Authorization | Least Privilege Principle | View |
| MCP-AUTHZ-04 | Authorization | Role-Based Access Control (RBAC) | View |
| MCP-INPUT-01 | Input Validation | Schema Validation | View |
| MCP-INPUT-02 | Input Validation | Bounds Checking | View |
| MCP-INPUT-03 | Input Validation | Timeout Enforcement | View |
| MCP-LOG-01 | Logging | Audit Logging | View |
| MCP-LOG-02 | Logging | Secret Redaction | View |
| MCP-SUPPLY-01 | Supply Chain | Package Integrity Verification | View |
| MCP-SUPPLY-02 | Supply Chain | Trusted Sources | View |
| MCP-DEPLOY-01 | Deployment | Container Hardening | View |
| MCP-DEPLOY-02 | Deployment | Seccomp Enforcement | View |
| MCP-DEPLOY-03 | Deployment | Resource Limits | View |
Getting Started#
- Read the Core Specification
- Review the Threat Model
- Choose a Deployment Profile (L1-L6)
- Browse Controls by Domain
Documentation#
- Core Standard - Specification, profiles, and threat model
- Security Controls - Organized by domain
- Reporting - Compliance reporting schemas
- Governance - Contributing and policies
License: CC BY 4.0 | Privacy Policy | Terms of Use | Cookie Policy
