5 Ways to Secure Your QuickMCP Servers
Essential security practices for QuickMCP: path filtering, environment variables, authentication, rate limiting, and monitoring. Protect your MCP servers from common vulnerabilities.
Security isn't optional when you're exposing APIs to AI assistants. Here are five essential practices to secure your QuickMCP servers.
1. Use Path Filtering to Block Dangerous Endpoints
Never expose admin, debug, or destructive endpoints through MCP.
Block Patterns
quickmcp build config \
--spec-url https://api.example.com/swagger.json \
--exclude-paths "/admin/*,/internal/*,/debug/*,*/delete,*/remove" \
--output-path ./secure-config.json
What This Blocks
/admin/*- All admin operations/internal/*- Internal-only endpoints/debug/*- Debug and development endpoints*/delete- Any DELETE operations*/remove- Remove operations
Whitelist Approach
More restrictive - only allow specific paths:
quickmcp build config \
--only-for-paths "/users/get,/posts/list,/search/*" \
--output-path ./readonly-config.json
2. Never Hardcode Credentials
The Wrong Way
{
"authentication": {
"type": "Bearer",
"token": "ghp_actual_secret_token_abc123"
}
}
The Right Way
{
"authentication": {
"type": "Bearer",
"token": "${GITHUB_TOKEN}"
}
}
Then:
export GITHUB_TOKEN="ghp_your_token"
quickmcp serve --config-path ./config.json
For Claude Desktop
Add environment variables in the config:
{
"mcpServers": {
"github": {
"command": "quickmcp",
"args": ["serve", "--config-path", "/path/to/config.json"],
"env": {
"GITHUB_TOKEN": "ghp_your_token_here"
}
}
}
}
3. Implement Proper Authentication
Choose the strongest authentication method your API supports.
Security Ranking
- OAuth 2.0 - Best for production
- Bearer Token - Good for modern APIs
- API Key - Acceptable for internal tools
- Basic Auth - Use only for legacy systems
- None - Only for truly public APIs
OAuth 2.0 Example
{
"authentication": {
"type": "OAuth2",
"tokenUrl": "https://auth.company.com/oauth/token",
"clientId": "${OAUTH_CLIENT_ID}",
"clientSecret": "${OAUTH_CLIENT_SECRET}",
"scopes": ["read"]
}
}
Apply Least Privilege
Only request the scopes you need:
// Too permissive
"scopes": ["read", "write", "admin", "delete"]
// Better
"scopes": ["read"]
4. Monitor and Log Activity
Enable logging to track what your MCP server is doing.
Enable Logging
quickmcp serve --config-path ./config.json --logging
What to Monitor
- Authentication failures - Indicates brute force attempts
- Rate limit errors - API usage patterns
- Unusual endpoints - Unexpected access patterns
- Error rates - Potential issues or attacks
Log Analysis
Save logs and analyze them:
quickmcp serve --config-path ./config.json --logging > server.log 2>&1
Then search for issues:
# Find authentication failures
grep "auth failed" server.log
# Find rate limits
grep "rate limit" server.log
# Find errors
grep "error" server.log -i
5. Rotate Credentials Regularly
Set up a rotation schedule:
Rotation Schedule
| Credential Type | Rotation Frequency |
|---|---|
| API Keys | Every 90 days |
| Bearer Tokens | Every 90 days |
| OAuth Secrets | Every 180 days |
| Passwords | Every 90 days |
Automation Script
Create a reminder:
# Add to crontab
0 0 1 * * echo "Time to rotate API credentials!" | mail -s "Security Reminder" you@example.com
Bonus: Rate Limiting Awareness
QuickMCP proxies requests to your API. Your API's rate limits still apply.
Check Rate Limits
Most APIs return rate limit info in headers:
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640000000
Handle Rate Limits
If you hit rate limits frequently:
- Use bulk endpoints instead of individual calls
- Filter paths to exclude unnecessary endpoints
- Implement caching at the MCP client level
Security Checklist
Before deploying a QuickMCP server to production:
- [ ] Path filtering configured to exclude admin/debug endpoints
- [ ] All credentials use environment variables
- [ ] Strongest available authentication method configured
- [ ] Logging enabled for monitoring
- [ ] Credential rotation schedule set
- [ ] Rate limits understood and documented
- [ ] Testing completed with real MCP clients
- [ ] Configuration file reviewed (no hardcoded secrets)
Common Security Mistakes
Mistake 1: Exposing Everything
Don't expose your entire API:
# Bad - exposes everything
quickmcp serve --spec-url https://api.example.com/swagger.json
# Good - filters dangerous paths
quickmcp build config \
--spec-url https://api.example.com/swagger.json \
--exclude-paths "/admin/*,/internal/*"
Mistake 2: Committing Secrets
Never commit configuration files with secrets to Git:
# Add to .gitignore
*.config.json
*-config.json
.env
Mistake 3: Using Weak Authentication
If your API supports OAuth 2.0, use it. Don't downgrade to API keys for convenience.
Testing Security
Test 1: Try Accessing Blocked Endpoints
# Start server with path filtering
quickmcp serve --config-path ./filtered-config.json --logging
# Try to call blocked endpoint through MCP client
# Should fail or not appear in available tools
Test 2: Verify Authentication
# Remove auth from config temporarily
# Server should fail to connect to API
Test 3: Check Logs
quickmcp serve --config-path ./config.json --logging
# Verify logs show:
# - Authentication headers (sanitized)
# - Request/response info
# - No exposed secrets
Incident Response
If you suspect a security issue:
- Immediately stop the MCP server
- Rotate all credentials
- Review logs for unauthorized access
- Update path filters if needed
- Test before redeploying
Resources
Security is an ongoing process, not a one-time setup. Review these practices regularly and stay vigilant.