🔐 MCP Gateway v0.3.1 - 2025-01-11 Security, XSS protection and Data Validation (Pydantic, UI)

🔐 MCP Gateway v0.3.1 – 2025-01-11

This security-focused release delivers comprehensive input validation, output escaping, and data sanitization to protect against XSS and injection attacks when handling data from untrusted MCP servers. It also includes UI improvements and code quality enhancements.

🔒 Security First: Defense in Depth

This release prioritizes defense in depth with multiple layers of security validation:

• Input Validation Framework – Comprehensive validation for all API endpoints
• Output Escaping – HTML-escaped display of user-controlled content in UI
• Data Sanitization – Protection against XSS injection from untrusted MCP servers
• Secure Defaults – Admin UI and API disabled by default (development-only features)
• Automated Security Pipeline – 24+ security tools including CodeQL, Bandit, Trivy, and OSV-Scanner

Important: The Admin UI is for development only and must never be exposed in production. It's designed for localhost-only access with trusted MCP servers. For production, disable it completely and use only the REST API with proper authentication.
Beta Software Notice: MCP Gateway is in early beta. Expect breaking changes between minor versions. This is an OPEN SOURCE PROJECT with community-driven support and no official support from IBM.

✨ Highlights

• 🛡️ Comprehensive Security Hardening – Input validation for all /admin and main API endpoints with configurable rules (#339, #340)
• 🔒 XSS Protection – Enhanced output handling ensures all user-controlled content is properly HTML-escaped (#336)
• ✅ Zero Lint Status – Resolved all 312 code quality issues across the web stack (#338)
• 🔧 Test Connectivity Tool – New debugging feature to validate gateway connections (#181)
• 💾 Persistent UI State – Filters and view preferences now persist across page refreshes (#177)
• 🎨 Revamped UI Components – Metrics and version tabs rewritten for consistency
• 🧪 UI-Disabled Mode Support – Fixed unit tests to handle configurations with UI disabled (#378)
• 🏷️ Semantic Versioning – Version endpoint now includes proper semantic version, not just git revision (#369)

🚨 Important Limitations

• Not Multi-Tenant Ready – Deploy as single-tenant component; implement user isolation, RBAC, and resource management in your application layer - many of the features to support true multi-tenancy and additional security policies and tools are coming slated for release 0.7.0 - 0.8.0
• Admin UI is Development-Only – Never expose in production; build your own production UI with appropriate security controls
• Beta Software – Validate all MCP servers before connecting; expect breaking changes between releases

🆕 Added

Security Enhancements

• Comprehensive Input Validation Framework (#339, #340):

  • All /admin endpoints validated – tools, resources, prompts, gateways, and servers
  • All non-admin API endpoints validated for consistent data integrity
  • Configurable validation rules with sensible defaults:
    • Character restrictions: names ^[a-zA-Z0-9_\-\s]+$, tool names ^[a-zA-Z][a-zA-Z0-9_]*$
    • URL scheme validation: http://, https://, ws://, wss://
    • JSON nesting depth limits (default: 10 levels)
    • Field-specific length limits (names: 255, descriptions: 4KB, content: 1MB)
    • MIME type validation for resources
  • Clear error messages guide users to correct input formats

• Enhanced Output Handling (#336):

  • All user-controlled content properly HTML-escaped in Admin UI
  • Protected fields: prompt templates, tool names/annotations, resource content, gateway configs
  • Ensures data displays as intended without unexpected behavior

Features

• Test MCP Server Connectivity Tool (#181) – Debug and validate gateway connections from Admin UI
• Persistent Admin UI Filter State (#177) – View preferences persist across refreshes
• Revamped UI Components – Metrics and version tabs rewritten for consistency

Fixes

• Unit Test Compatibility (#378) – Tests now properly handle UI-disabled mode configurations
• Version Endpoint Enhancement (#369) – Now includes semantic version (e.g., "0.3.1") not just git revision

🔄 Changed

• Code Quality Achievement (#338):

  • Resolved all 312 code quality issues
  • Updated 14 JavaScript patterns
  • Corrected 2 HTML structure improvements
  • Standardized naming conventions
  • Removed unused code

• Security Defaults:

  • Admin UI disabled by default: MCPGATEWAY_UI_ENABLED=false
  • Admin API disabled by default: MCPGATEWAY_ADMIN_API_ENABLED=false
  • Update your .env file to explicitly enable these features

• Validation Configuration – New environment variables:

  VALIDATION_MAX_NAME_LENGTH=255
  VALIDATION_MAX_DESCRIPTION_LENGTH=4096
  VALIDATION_MAX_JSON_DEPTH=10
  VALIDATION_ALLOWED_URL_SCHEMES=["http://", "https://", "ws://", "wss://"]

• Performance – Validation overhead kept under 10ms per request

• Security Pipeline – Every PR now passes through 24+ automated security scans including:

  • SAST: CodeQL, Bandit, multiple type checkers
  • Dependency Scanning: OSV-Scanner, Trivy, npm audit
  • Container Security: Hadolint, Dockle, Trivy
  • Code Quality: Multiple linters ensuring maintainability

🔐 Security Notes

Defense in Depth Strategy

MCP Gateway is designed as one component in a comprehensive security strategy:

1. Upstream validation: Verify and trust all MCP servers before connection
2. Gateway validation: Input/output validation and sanitization (this release)
3. Downstream validation: Applications must implement their own security controls
4. Network isolation: Use firewalls and network policies
5. Monitoring: Implement logging and alerting for anomalies

Review Your Configuration

Admin features are now disabled by default for security:

MCPGATEWAY_UI_ENABLED=false        # Keep false in production
MCPGATEWAY_ADMIN_API_ENABLED=false # Keep false in production

Developer Security Tools

Run the same 24+ security scans locally that execute in CI/CD:

make pre-commit  # Run before every commit (includes Bandit)
make lint        # Full security and quality suite
make bandit      # Python security vulnerabilities
make trivy       # Container vulnerability scanning
make osv-scan    # Open source vulnerability database

📦 Upgrade Instructions (pypy)

1. Update your package:

   pip install --upgrade mcp-contextforge-gateway==0.3.1

2. Review security settings in your .env:

   # Copy from .env.example for secure defaults
   cp .env.example .env
   # Then enable only required features

📋 Production Deployment Checklist

When deploying MCP Gateway v0.3.1:

• Disable Admin UI (MCPGATEWAY_UI_ENABLED=false)
• Disable Admin API (MCPGATEWAY_ADMIN_API_ENABLED=false)
• Enable authentication for all endpoints
• Configure TLS/HTTPS with valid certificates
• Validate all MCP servers before connection
• Implement downstream validation in your applications
• Set up monitoring and anomaly detection
• Review validation rules for your use case

See the full Security Policy for complete deployment guidelines.

👥 Contributors

This security-focused release was delivered through excellent teamwork. Some of the items closed in 0.3.1 include:

• Security Implementation – Input validation framework (#339, #340) and output escaping (#336)
• Code Quality – Achieved zero lint status across 312 issues (#338)
• Testing Improvements – UI-disabled mode support (#378)
• Version Enhancement – Semantic versioning in API (#369)
• UI/UX Features – Test connectivity tool (#181) and persistent filter state (#177)

Special thanks to all contributors who helped make MCP Gateway more secure and robust!

---

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.3.1
• 🐍 PyPI: mcp-contextforge-gateway
• 📈 Full changelog: Compare v0.3.0…v0.3.1