diff --git a/1.0/en/0x10-C10-MCP-Security.md b/1.0/en/0x10-C10-MCP-Security.md index 3356e34..ac6425b 100644 --- a/1.0/en/0x10-C10-MCP-Security.md +++ b/1.0/en/0x10-C10-MCP-Security.md @@ -44,6 +44,7 @@ Ensure secure discovery, authentication, authorization, transport, and use of MC | **10.3.3** | **Verify that** SSE-based MCP transports are used only within private, authenticated internal channels and enforce TLS, authentication, schema validation, payload size limits, and rate limiting; SSE endpoints must not be exposed to the public internet. | 2 | | **10.3.4** | **Verify that** MCP servers validate the `Origin` and `Host` headers on all HTTP-based transports (including SSE and streamable-HTTP) to prevent DNS rebinding attacks and reject requests from untrusted, mismatched, or missing origins. | 2 | | **10.3.5** | **Verify that** intermediaries do not alter or remove the `Mcp-Protocol-Version` header on streamable-HTTP transports unless explicitly required by the protocol specification, preventing protocol downgrade via header stripping. | 2 | +| **10.3.6** | **Verify that** MCP clients enforce a minimum acceptable protocol version and reject server capability negotiation responses that propose a version below that minimum, preventing a server or intermediary from forcing use of a protocol version with weaker security properties. | 2 | --- diff --git a/1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md b/1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md index 9f04dd2..1986ae9 100644 --- a/1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md +++ b/1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md @@ -92,6 +92,7 @@ Protect data moving between services, agents, tools, and edge devices. | Authenticated accelerator interconnects (NVLink, PCIe, InfiniBand) | 4.7.7 | | Encrypted edge-to-cloud communication with bandwidth throttling | 4.8.6 | | Log encryption in transit | 13.1.3 | +| MCP client minimum protocol version enforcement against downgrade negotiation | 10.3.6 | **Common pitfalls:** allowing plaintext interconnects in multi-tenant GPU clusters; using SSE over public internet without TLS; not validating certificates on internal service calls.