MCP Security: A Developer’s Guide

Since its release by Anthropic in November 2024, Model Context Protocol (MCP) has gained massive adoption and is quickly becoming the connective tissue between AI agents and the tools, APIs, and data they act on. 

With just a few lines of configuration, an agent can search code, open tickets, query SaaS systems, or even deploy infrastructure. That kind of flexibility is powerful but it also introduces new security challenges. In fact, security researchers analyzing the MCP ecosystem found command injection flaws affecting 43% of analyzed servers. A single misconfigured or malicious server can exfiltrate secrets, trigger unsafe actions, or quietly change how an agent behaves. 

This guide is for developers and platform teams building with agents. We’ll unpack what makes MCP workflows uniquely risky for AI infrastructure, highlight common missteps like prompt injection or shadow tooling, and show how secure defaults, like containerized MCP servers and policy-based gateways, can help you govern every tool call without slowing your AI roadmap.

What is MCP security?

Model Context Protocol is a standardized interface that enables AI agents to interact with external tools, databases, and services. MCP security refers to the controls and risks that govern how agents discover, connect to, and execute MCP servers. These security risks span across the entire development lifecycle and involve:

• Supply chain: how servers are packaged, signed, versioned, and approved.
• Runtime isolation: how they’re executed on the host vs. in containers, with CPU/memory/network limits.
• Brokered access: how calls are mediated, logged, blocked, or transformed in real time.
• Client trust: which tools a given IDE/agent is allowed to see and use.

Why does MCP security matter?

Securing MCP workflows has become more important than ever because AI agents blur the line between “code” and “runtime.” A prompt or tool description can change what your system is capable of without a code release. 

This means that security practices have to move up a layer, from static analysis to policy over agent‑tool interactions. Docker codifies that policy in a gateway and makes secure defaults practical for everyday developers.

Docker’s approach is to make MCP both easy and safe through containerized execution, a policy‑enforcing MCP Gateway, and a curated MCP Catalog & Toolkit that helps teams standardize what agents can do. If you’re building with agents, this guide will help you understand the risks, why traditional tools fall short, and how Docker reduces blast radius without slowing your AI roadmap.

Understanding MCP security risks

While MCP risks can show up in various ways across the dev lifecycle, there are specific categories they typically fall into. The section below highlights how these risks surface in real workflows, their impact, and practical guardrails that mitigate without slowing teams down. 

Misconfigurations & weak defaults

• Running servers directly on the host with broad privileges or a persistent state.
• Unrestricted network egress from tools to the public internet.
• Unvetted catalogs/registries in client configs, exposing agents to unknown tools.
• No audit trail for tool calls-hard to investigate or respond.

Impact: Lateral movement, data exfiltration, and irreproducible behavior.

Mitigation: Always follow MCP server best practices such as leveraging containerization, applying resource and network limits, maintaining an allowlist of approved tools, and capturing call logs centrally.

Malicious or compromised servers (supply chain)

• Typosquatting/poisoned images or unsigned builds.
• Hidden side effects or altered tool metadata that nudges agents into risky actions.

Impact: Covert behavior change, credential theft, persistent access.

Mitigation: Require signature verification, pin versions/digests, and pull from curated sources such as the MCP Catalog & Toolkit.

Secret management failures

• Plaintext credentials in environment variables, prompts, or tool arguments.
• Leakage via tool outputs or model completions.

Impact: Account takeover, data loss.

Mitigation: Use managed secrets, minimize prompt exposure, and redact or block sensitive values at the broker.

Prompt injection & tool poisoning

• Prompt injection: hostile content instructs the model to exfiltrate data or call dangerous tools.
• Tool poisoning/shadowing: misleading tool descriptions or unexpected defaults that steer the agent.

Impact: Agents do the wrong thing, confidently.

Mitigation: Strict tool allowlists, pre/post‑call interceptors, and output filtering at the gateway. Docker’s MCP Gateway provides active security capabilities (signature checks, call logging, secret and network controls, interceptors).

What makes MCP security challenging?

• Dynamic & non‑deterministic behavior: the same prompt may lead to different tool calls.
• Instruction vs. data ambiguity: LLMs can treat content (including tool docs) as instructions.
• Growing, shifting attack surface: every new tool expands what the agent can do instantly.
• Traditional AppSec gaps: Static analysis tools don’t see agentic tool calls or MCP semantics; you need mediation between agents and tools, not just better prompts.

Implication for developers: You need a guardrail that lives at the agent–tool boundary, verifying what runs, brokering what’s allowed, and recording what happened.

How to prevent and mitigate MCP server security concerns

Use this practitioner checklist to raise the floor:

1. Containerize every MCP server
   Run servers in containers (not on the host) with CPU/memory caps and a read‑only filesystem where possible. Treat each server as untrusted code with the least privilege necessary.
   Why it helps: limits blast radius and makes behavior reproducible.
2. Centralize enforcement at a gateway (broker)
   Place a policy‑enforcing gateway between clients (IDE/agent) and servers. Use it to:
   • Verify signatures before running servers.
   • Maintain a tool allowlist (only approved servers are discoverable).
   • Apply network egress controls and secret redaction.
   • Log requests/responses for audit and incident response.
3. Govern secrets end‑to‑end
   Store secrets in a managed system; avoid .env files. Prefer short‑lived tokens. Sanitize prompts and tool outputs to reduce exposure.
4. Defend the prompt layer
   Use pre‑call interceptors (argument/type checks, safety classifiers) and post‑call interceptors (redaction, PII scrub). Combine with strict tool scoping to reduce prompt‑injection blast radius.
5. Harden the supply chain
   Pull servers from curated sources (e.g., MCP Catalog & Toolkit), require signatures, and pin to immutable versions.
6. Monitor and rehearse
   Alert on anomalous tool sequences (e.g., sudden credential access), and run tabletop exercises to rotate tokens and revoke access.

How Docker makes MCP security practical

Turning MCP security from theory into practice means putting guardrails where agents meet tools and making trusted servers easy to adopt for agentic workflows. Docker’s MCP stack does both: Docker Gateway enforces policy and observability on every call, while the Docker MCP Catalog & Toolkit curates, verifies, and versions the servers your team can safely use.

Docker MCP Gateway: Your enforcement point

The gateway sits between clients and servers to provide verification, policy, and observability for every tool call. It supports active security measures like signature verification, call logging, secret and network controls, and pre/post-interceptors so you can block or transform risky actions before they reach your systems. 

Learn more in Docker MCP Gateway: Unified, Secure Infrastructure for Agentic AI and the Gateway Active Security documentation.

Docker MCP Catalog & Toolkit: Curation and convenience

Use the MCP Catalog & Toolkit to standardize the servers your organization trusts. The catalog helps reduce supply‑chain risk (publisher verification, versioning, provenance) and makes it straightforward for developers to pull approved tools into their workflow. With a growing selection of 150+ curated MCP servers, MCP Catalog is a safe and easy way to get started with MCP.

Looking for a broader view of how Docker helps with AI development? Check out Docker for AI.

Putting it all Together: A practical flow

1. Choose servers from the Catalog and pin them by digest.
2. Register servers with the Gateway so clients only see approved tooling.
3. Enable active security: verify signatures, log all calls, redact/deny secrets, and restrict egress.
4. Add pre/post interceptors: validate arguments (before), redact/normalize outputs (after).
5. Monitor and tune: review call logs, alert on anomalies, rotate secrets, and update allowlists as new tools are introduced.

Conclusion

MCP unlocks powerful agentic workflows but also introduces new classes of risk, from prompt injection to tool poisoning and supply‑chain tampering. MCP security isn’t just better prompts; it’s secure packaging, verified distribution, and a brokered runtime with policy.

Key takeaways

• Treat MCP as a governed toolchain, not just an SDK.
• Put a policy gateway between agents and tools to verify, mediate, and observe.
• Pull servers from the MCP Catalog & Toolkit and pin versions/digests.
• Use active security features such as signature checks, interceptors, logging, and secret/network controls to reduce blast radius.

Learn more

Browse the MCP Catalog: Discover 200+ containerized, security-hardened MCP servers

Download the MCP Toolkit in Docker Desktop: Get immediate access to secure credential management and container isolation

Submit Your Server: Help build the secure, containerized MCP ecosystem. Check our submission guidelines for more.

Follow Our Progress: Star our repository for the latest security updates and threat intelligence