Surf Data
Criar ContaCriar Conta
Voltar ao Blog
MCPSecurityOAuth 2.1Audit LogsAI AgentsPrompt Injection

MCP server security: Best practices for protecting your data from AI agents

OAuth 2.1, least-privilege, audit logs, prompt injection — the essential security best practices for MCP servers in 2026 and how to implement them.

Diogo Felizardo·Founder, Surf Data
25 de fevereiro de 20265 min de leitura

MCP servers are the new attack surface. With massive adoption of the Model Context Protocol in 2026, AI agents now have direct access to databases, APIs, and internal systems. And attackers know it.

The problem isn't the protocol itself — MCP is well-designed. The problem is how most servers are implemented: with static credentials, no access control, no logs, and vulnerable to prompt injection.

This guide covers essential best practices for securing your MCP servers, based on research from Astrix Security, CoSAI, Strata Identity, and emerging security frameworks.

1. Authentication: OAuth 2.1 as the standard

The biggest security problem in MCP servers today is authentication. According to Astrix Security, 53% of production servers use static credentials — hardcoded API keys that are never rotated.

What to implement

OAuth 2.1 with PKCE is the recommended standard in the MCP specification for authentication:

  • Short-lived tokens — access tokens with TTL of minutes, not days
  • Refresh tokens — automatic rotation with revocation of the previous token
  • Granular scopes — each agent receives only the permissions it needs
  • PKCE (Proof Key for Code Exchange) — protection against authorization code interception

If OAuth 2.1 isn't feasible for your use case, at minimum implement:

  • Hashed tokens (SHA-256) — never store tokens in plain text
  • Automatic rotation with expiration
  • Immediate revocation of compromised tokens

What to avoid

  • Static API keys in .env files
  • Tokens without expiration
  • Shared credentials across multiple agents
  • Basic auth over HTTP (always use HTTPS)

2. Principle of Least Privilege

An AI agent doesn't need access to the entire database. In fact, the less access the better — both for security and response quality.

How to apply

At the database layer:

  • Create database users specific to MCP with READ-ONLY permissions
  • Restrict access to specific tables and columns
  • Use views to expose only necessary data

At the MCP layer:

  • Each tool should execute a specific, pre-defined query
  • Never expose an "execute any SQL" as a tool
  • Limit the number of rows returned (a cap of 100 is good practice)
  • Block destructive operations (DROP, DELETE, INSERT, UPDATE, ALTER)

At the agent layer:

  • Each agent should have its own token with specific scopes
  • Sales agents don't access HR data
  • Support agents don't access complete financial records

3. Prompt Injection Protection

Prompt injection is the most underestimated attack in MCP systems. An AI agent accessing data via MCP can be manipulated to perform unintended actions.

Attack vectors

According to TrueFoundry, the main vectors are:

  • Indirect prompt injection via data — malicious data stored in the database that, when read by the agent, alters its behavior
  • Tool poisoning — manipulated tool descriptions that induce the agent to perform unauthorized actions
  • Cross-tool escalation — an agent using a legitimate tool to access data from another unauthorized tool

How to protect yourself

  • Validate inputs and outputs — sanitize data passing through MCP, both incoming and outgoing
  • Isolate tools — each tool should operate in its own context, without access to other tools
  • Limit each tool's scope — pre-defined queries, no dynamic SQL
  • Monitor anomalous patterns — an agent making 1,000 queries in sequence is a red flag
  • Don't trust returned data — treat database data as potentially malicious before sending it to the agent

4. Audit Logs and Observability

Without logs, you don't know what's happening on your MCP server. And if you don't know, you can't protect.

What to record

Each tool invocation should generate a log containing:

  • Timestamp — when the execution happened
  • Agent — which agent (token) made the request
  • Tool — which tool was invoked
  • Query — which SQL was executed
  • Result — how many rows returned, execution time
  • Source IP — where the request came from

Best practices

  • Immutable logs — use append-only storage; logs cannot be altered or deleted
  • Minimum 12-month retention — for compliance and forensic investigation
  • Automatic alerts — configure alerts for suspicious patterns (anomalous volume, non-standard queries, denied access attempts)
  • Usage dashboard — visualize access patterns to identify anomalies quickly

5. Transport Security

Communication between the agent and the MCP server must be protected in transit.

Checklist

  • TLS 1.3 — all MCP communication must use HTTPS
  • Certificate pinning — for high-security environments
  • Origin validation — accept requests only from known origins
  • Rate limiting — limit requests per token to prevent abuse
  • Timeouts — queries taking too long should be canceled

6. Sensitive Data Masking

For Brazilian companies, PII masking isn't optional — it's a legal requirement (LGPD). But even outside Brazil, masking sensitive data before it reaches AI agents is a security best practice.

Patterns to detect and mask

  • National IDs (CPF) — ..***-XX (keep last 2 digits for reference)
  • Email — d***@***.com
  • Phone — (**) ****-XXXX
  • Full name — D*** F***
  • Address — mask completely
  • Financial data — mask account numbers, sensitive values

Where to apply

Masking should happen at the MCP layer, before data reaches the agent. Trusting the LLM to mask data is not a security strategy.

Detection should be automatic (based on column and content patterns) with the option for manual configuration for specific cases.

How Surf Data implements these practices

At Surf Data, each of these practices is implemented natively:

| Practice | Implementation | |----------|---------------| | Authentication | Bearer tokens with SHA-256 hash, rotation via dashboard | | Least-privilege | Each tool = a specific SQL query, READ-ONLY by default | | Prompt injection | Pre-defined queries (no dynamic SQL), destructive operation blocking | | Audit logs | Immutable log per invocation with timestamp, agent, query, and result | | Transport | Mandatory HTTPS, rate limiting per token | | PII masking | Automatic Brazilian pattern detection, configurable per tool | | Result limits | 100-row cap per response |

Conclusion

MCP security isn't a "nice to have" — it's the difference between a successful AI agent implementation and a security incident.

The practices listed in this guide aren't theoretical. They're the minimum required to operate MCP servers in production with real data. OAuth 2.1, least-privilege, prompt injection protection, audit logs, transport security, and data masking — each layer is essential.

The question for your team: how many of these practices have you already implemented?

Compartilhar