MCP Gateway is designed to operate as a local development and debugging tool with the following security model:
- Network: Listens on
localhost:3333by default - Access: Local machine access with token-based authentication
- Authentication: Auto-generated Bearer tokens (or custom via
MCP_GATEWAY_TOKENenv var) - Storage: All data stored in user's home directory (
~/.mcp-gateway/) - Data: No sensitive data encryption at rest (design choice for dev tool)
- Gateway runs on local machine
- Used for debugging MCP integrations
- No network exposure beyond localhost
- Token-based authentication protects endpoints
- Tokens auto-generated per session or custom via env var
- Standalone test environments
- Controlled access
- Use separate credentials for testing
Not recommended without significant security hardening:
- Requires network isolation
- Should run in container with restricted permissions
- Consider reverse proxy with authentication
- See production hardening recommendations below
MCP Gateway captures and stores:
-
Request/Response Logs
- All MCP protocol messages
- Request parameters and response results
- HTTP headers and status codes
- Timestamps and duration metrics
-
Server Configuration
- Server names and URLs
- Custom headers (if any)
- Health check status
-
Session Metadata
- Client information (name, version)
- Server information (capabilities, version)
- Session identifiers
- Credentials: OAuth tokens, API keys, passwords are NOT persisted
- Sensitive Parameters: PII or secret data in MCP messages are captured as-is but not specially protected
~/.mcp-gateway/
├── mcp.json # Server registry
├── logs.db # SQLite database with captured traffic
└── logs.db-* # Database journal files
Default permissions: 700 (user read/write/execute only)
- Default: Logs retained indefinitely
- Manual: Use web UI or CLI to clear logs
- Programmatic: REST API provides clearAll() endpoint
Recommendation: Implement log rotation in production deployments
MCP servers may require OAuth authentication:
- MCP client obtains OAuth token from server
- Token is included in MCP messages to gateway
- Gateway forwards token to MCP server
- Response includes any updated tokens
- Not Persisted: OAuth tokens are captured in logs but not separately encrypted
- Log Access: Anyone with file system access to
~/.mcp-gateway/can read tokens - Sensitive Data: Treat captured logs as sensitive
-
Restrict File Permissions
chmod 700 ~/.mcp-gateway/ -
Use Separate Service Account
- Run gateway with dedicated user account
- Restrict file access to that user
-
Limit Log Retention
- Periodically clear logs
- Implement log rotation in production
-
Network Isolation
- Keep gateway on localhost only
- Use firewall rules if network exposure needed
-
Avoid Sensitive Data in Tests
- Don't test with production tokens
- Use separate staging credentials
Gateway Server
├── Web UI: http://localhost:3333/ui?token=<token> (protected)
├── REST API: http://localhost:3333/api (protected with Bearer token)
├── Gateway MCP Server: http://localhost:3333/gateway/mcp (protected with Bearer token)
├── Proxy Endpoints: http://localhost:3333/s/{server-name}/mcp (unprotected - upstream auth)
└── Outbound: Connects to configured MCP servers
- Token-Based: Bearer token authentication for API, Web UI, and management MCP server
- Auto-Generated: Tokens generated automatically on startup (displayed in terminal)
- Custom Tokens: Set
MCP_GATEWAY_TOKENenvironment variable for consistent tokens - Proxy Passthrough: Proxy endpoints (
/s/{name}/mcp) don't require auth - upstream servers handle it
- Token Authentication: Required for management endpoints
- No Encryption: HTTP only (localhost)
- Local Access: Tokens visible in terminal output (local machine access assumed)
For production deployments:
-
Reverse Proxy
- Use nginx/Caddy for TLS termination
- Add authentication (Basic Auth, OAuth)
- Implement rate limiting
-
Network Isolation
- Run in isolated VPC/network
- Use firewall rules
- Restrict outbound connections
-
TLS/SSL
- Terminate TLS at reverse proxy
- Use valid certificates
- Enforce HTTPS
-
Authentication
- Built-in Bearer token authentication enabled by default
- Use strong custom tokens via
MCP_GATEWAY_TOKENfor production - Consider additional authentication layers (OAuth, SAML) via reverse proxy
- Rotate tokens regularly
Gateway connects to configured MCP servers:
- Addresses: Whatever URLs are configured
- Authentication: Delegated to each server
- Data: Captures all traffic for logging
-
MCP Server Compromise
- Gateway will proxy traffic to compromised servers
- Logs will contain any malicious responses
-
MITM Attacks
- Uses HTTP by default
- Vulnerable to man-in-the-middle
- Production deployments should enforce HTTPS
-
Server Discovery
- Only configured servers are contacted
- New servers require explicit registration
- No automatic server discovery
~/.mcp-gateway/
drwx------ . # 700: User only
-rw------- mcp.json # 600: User read/write
-rw------- logs.db # 600: User read/write-
Verify Permissions
ls -ld ~/.mcp-gateway/ stat ~/.mcp-gateway/
-
Restrict Further (if needed)
chmod 700 ~/.mcp-gateway/ chmod 600 ~/.mcp-gateway/mcp.json chmod 600 ~/.mcp-gateway/logs.db
-
Use Separate Account
useradd mcp-gateway chown -R mcp-gateway:mcp-gateway ~/.mcp-gateway/ -
SELinux/AppArmor
- Configure policies for production
- Restrict file access
- Limit network access
If you discover a security vulnerability:
- Do NOT open a public GitHub issue
- Email: [email protected] (or appropriate contact)
- Include: Description, steps to reproduce, impact assessment
- Response: We aim to respond within 48 hours
- Vulnerability confirmed and assessed
- Fix developed and tested
- Security advisory issued
- Fixed version released
- Notification sent to users
Current Limitations:
- Gateway does not have built-in audit logging
- All MCP traffic is captured in logs
- No separate security event logging
- Enable OS-level audit logging
- Monitor file system changes to
~/.mcp-gateway/ - Track gateway process activity
- Monitor network connections
- Implement centralized log aggregation
- Regular dependency updates
- Security scanning via CI/CD
- Vulnerability monitoring via npm
See package.json for complete dependency list. Key security-relevant packages:
- bun: JavaScript runtime
- hono: Web framework
- drizzle-orm: Database ORM
- sqlite: Database engine
Monitor security advisories for these packages.
- ✅ Use localhost only
- ✅ Clear sensitive logs after debugging
- ✅ Use separate credentials for testing
- ✅ Don't commit
.mcp-gateway/directory - ✅ Review logs before sharing
- ✅ Use isolated test environment
- ✅ Use test credentials
- ✅ Clean up after tests
- ✅ Don't store sensitive data
- ✅ Run in isolated network
- ✅ Use reverse proxy with TLS
- ✅ Implement authentication
- ✅ Restrict file permissions
- ✅ Monitor and audit access
- ✅ Implement log rotation
- ✅ Use separate service account
- ✅ Regular security updates
-
Token Security
- Tokens displayed in terminal output (local machine access assumed)
- Tokens visible in browser URL (Web UI)
- No token encryption at rest
- No multi-user access control
-
No Encryption at Rest
- Logs stored unencrypted
- OAuth tokens in plain text
-
No Audit Logging
- No tracking of who accessed what
- Limited operational visibility
-
No Rate Limiting
- Vulnerable to DoS attacks
- No request throttling
-
HTTP Only
- No TLS encryption
- Man-in-the-middle vulnerable
-
No Secret Management
- Credentials stored in config files
- No encryption of sensitive values
Potential security enhancements:
- Built-in TLS support
- API authentication (Bearer tokens implemented)
- Advanced authentication (OAuth2, API keys, multi-user)
- Encrypted storage at rest
- Audit logging
- Rate limiting and DDoS protection
- Secret management integration
- Role-based access control
- Secrets redaction in logs
- Token rotation and expiration
For security questions or concerns:
- Email: [email protected]
- GitHub Issues: [Not for vulnerabilities]
- Discussions: [General security questions]
Related Documentation:
- README - User guide
- AGENTS.md - Development guide
- TROUBLESHOOTING - Common issues