Secure MCP Server
Provides an enterprise-grade Model Context Protocol implementation with advanced security features including multi-factor authentication, encryption, and RBAC. Enables secure tool management and context handling for production deployments with comprehensive monitoring and high availability.
README
Secure MCP Server
Enterprise-Grade Model Context Protocol Implementation
A production-ready, secure, and scalable Model Context Protocol (MCP) server designed for enterprise deployments with advanced security features, comprehensive monitoring, and high availability.
Features
Core Capabilities
- Model Context Protocol (MCP) v0.5.0 - Full implementation of the MCP specification
- WebSocket & HTTP Transport - Dual transport layer support for flexible client connectivity
- Tool Management - Dynamic tool registration, validation, and execution
- Context Management - Efficient context handling with configurable limits and caching
Security Features
- Multi-Factor Authentication - JWT + TOTP/SMS-based 2FA
- SAML 2.0 Integration - Enterprise SSO support
- End-to-End Encryption - TLS 1.3 with certificate pinning
- Vault Integration - HashiCorp Vault for secrets management
- Rate Limiting - Configurable per-endpoint and per-user limits
- RBAC - Role-based access control with granular permissions
Enterprise Features
- High Availability - Multi-region deployment with automatic failover
- Horizontal Scaling - Kubernetes-native with auto-scaling
- Monitoring & Observability - Prometheus, Grafana, and distributed tracing
- Audit Logging - Comprehensive audit trails for compliance
- Database Support - PostgreSQL with read replicas and Redis caching
- Message Queue Integration - RabbitMQ/Kafka for async processing
Installation
NPM Package Installation
Server Package
npm install @perfecxion/secure-mcp-server
Client SDK
npm install @perfecxion/secure-mcp-client
Docker Installation
docker pull perfecxion/secure-mcp-server:latest
Quick Start
Prerequisites
- Node.js >= 20.0.0
- Docker & Docker Compose
- PostgreSQL 15+
- Redis 7+
- (Optional) Kubernetes cluster for production deployment
Using NPM Package
import { SecureMCPServer } from '@perfecxion/secure-mcp-server';
const server = new SecureMCPServer({
port: 3000,
auth: {
jwt: { secret: process.env.JWT_SECRET },
apiKeys: true
}
});
await server.start();
Using Client SDK
import { SecureMCPClient } from '@perfecxion/secure-mcp-client';
const client = new SecureMCPClient({
serverUrl: 'https://mcp.example.com',
apiKey: 'your-api-key'
});
await client.connect();
const tools = await client.listTools();
Local Development
- Clone the repository
git clone https://github.com/perfecxion-ai/secure-mcp.git
cd secure-mcp
- Install dependencies
npm install
- Configure environment
cp .env.example .env
# Edit .env with your configuration
- Start dependencies
docker-compose up -d postgres redis vault
- Initialize database
npm run db:migrate
npm run db:generate
- Initialize Vault
npm run vault:init
- Start the server
npm run dev
The server will be available at:
- WebSocket:
ws://localhost:3000 - HTTP API:
http://localhost:3000/api - Health Check:
http://localhost:3000/health - Metrics:
http://localhost:3000/metrics
Docker Deployment
# Build the image
npm run docker:build
# Run with docker-compose
npm run docker:run
Kubernetes Deployment
# Deploy to development environment
npm run k8s:deploy
# Deploy to production (requires kubectl context)
kubectl apply -k kubernetes/overlays/production
Architecture Overview
graph TB
subgraph "Client Layer"
C1[MCP Client]
C2[Web Client]
C3[Mobile App]
end
subgraph "Gateway Layer"
LB[Load Balancer]
WAF[Web Application Firewall]
end
subgraph "Application Layer"
API[API Server]
WS[WebSocket Server]
AUTH[Auth Service]
end
subgraph "Data Layer"
PG[(PostgreSQL)]
REDIS[(Redis Cache)]
VAULT[(HashiCorp Vault)]
end
subgraph "Monitoring"
PROM[Prometheus]
GRAF[Grafana]
LOG[ELK Stack]
end
C1 & C2 & C3 --> LB
LB --> WAF
WAF --> API & WS
API & WS --> AUTH
API --> PG & REDIS
AUTH --> VAULT
API & WS --> PROM
PROM --> GRAF
API & WS --> LOG
Project Structure
secure-mcp-server/
├── src/ # Source code
│ ├── auth/ # Authentication & authorization
│ ├── config/ # Configuration management
│ ├── database/ # Database models & migrations
│ ├── monitoring/ # Metrics & health checks
│ ├── security/ # Security middleware & utilities
│ ├── server/ # WebSocket & HTTP servers
│ ├── tools/ # MCP tool implementations
│ └── utils/ # Utility functions
├── tests/ # Test suites
│ ├── unit/ # Unit tests
│ ├── integration/ # Integration tests
│ ├── security/ # Security tests
│ └── performance/ # Performance tests
├── docker/ # Docker configurations
├── kubernetes/ # Kubernetes manifests
│ ├── base/ # Base configurations
│ └── overlays/ # Environment-specific overlays
├── scripts/ # Deployment & utility scripts
├── docs/ # Documentation
└── monitoring/ # Monitoring configurations
Configuration
The server uses a hierarchical configuration system with environment-specific overrides:
- Base Configuration -
src/config/default.ts - Environment Variables -
.envfile - Secrets Management - HashiCorp Vault
- Runtime Configuration - Kubernetes ConfigMaps
Key Configuration Options
{
server: {
port: 3000,
host: "0.0.0.0",
corsOrigins: ["http://localhost:*"],
maxRequestSize: "10mb",
timeout: 30000
},
auth: {
jwtSecret: process.env.JWT_SECRET,
jwtExpiry: "1h",
refreshExpiry: "7d",
mfaRequired: true,
sessionTimeout: 3600000
},
database: {
url: process.env.DATABASE_URL,
maxConnections: 20,
ssl: { rejectUnauthorized: true }
},
redis: {
host: process.env.REDIS_HOST,
port: 6379,
password: process.env.REDIS_PASSWORD,
tls: true
},
security: {
rateLimit: {
windowMs: 60000,
maxRequests: 100
},
helmet: {
contentSecurityPolicy: true,
hsts: { maxAge: 31536000 }
}
}
}
API Documentation
Authentication Endpoints
POST /api/auth/register
Register a new user account.
curl -X POST http://localhost:3000/api/auth/register \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "SecureP@ssw0rd!",
"name": "John Doe"
}'
POST /api/auth/login
Authenticate and receive JWT tokens.
curl -X POST http://localhost:3000/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "SecureP@ssw0rd!"
}'
POST /api/auth/refresh
Refresh access token using refresh token.
curl -X POST http://localhost:3000/api/auth/refresh \
-H "Authorization: Bearer <refresh_token>"
WebSocket Connection
const WebSocket = require('ws');
const ws = new WebSocket('ws://localhost:3000', {
headers: {
'Authorization': 'Bearer <access_token>'
}
});
ws.on('open', () => {
// Send MCP request
ws.send(JSON.stringify({
jsonrpc: '2.0',
method: 'tools/list',
id: 1
}));
});
ws.on('message', (data) => {
console.log('Received:', JSON.parse(data));
});
Testing
Run All Tests
npm test
Test Categories
npm run test:unit # Unit tests
npm run test:integration # Integration tests
npm run test:security # Security tests
npm run test:performance # Performance tests
npm run test:coverage # Coverage report
Load Testing
npm run load-test # Artillery load test
npm run stress-test # Artillery stress test
npm run benchmark # Autocannon benchmark
Monitoring
The server exposes comprehensive metrics and health endpoints:
- Metrics:
http://localhost:3000/metrics(Prometheus format) - Health:
http://localhost:3000/health - Ready:
http://localhost:3000/ready
Grafana Dashboards
Access pre-configured dashboards:
npm run monitor:start
# Open http://localhost:3001 (admin/admin)
Available dashboards:
- System Overview
- API Performance
- WebSocket Connections
- Database Performance
- Security Events
- Error Tracking
Security
Security Features
-
Authentication & Authorization
- JWT-based authentication with refresh tokens
- Multi-factor authentication (TOTP/SMS)
- SAML 2.0 SSO integration
- Session management with Redis
-
Data Protection
- TLS 1.3 encryption in transit
- AES-256-GCM encryption at rest
- Certificate pinning for critical endpoints
- Secure key rotation
-
Access Control
- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
- API key management
- IP whitelisting
-
Security Monitoring
- Real-time threat detection
- Audit logging
- Anomaly detection
- Security event correlation
Security Best Practices
- Regular dependency updates via Dependabot
- Security scanning with Snyk
- Penetration testing suite included
- OWASP Top 10 compliance
- SOC 2 Type II ready
- ISO 27001 compliant
Performance
Benchmarks
| Metric | Value | Conditions |
|---|---|---|
| Requests/sec | 10,000+ | Single instance, 4 vCPU |
| WebSocket Connections | 50,000+ | Single instance, 8GB RAM |
| P95 Latency | <50ms | Normal load |
| P99 Latency | <100ms | Normal load |
| Throughput | 1GB/s | Data transfer |
Optimization Features
- Connection pooling
- Redis caching layer
- Database query optimization
- Lazy loading
- Request batching
- Response compression
Contributing
Please read our Developer Guide for details on our code of conduct and the process for submitting pull requests.
Development Workflow
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Code Standards
- TypeScript strict mode
- ESLint configuration
- Prettier formatting
- 95% test coverage requirement
- Security review required for auth changes
Support
- Documentation: Full Documentation
- Issues: GitHub Issues
- Security: security@enterprise.com
- Enterprise Support: support@enterprise.com
License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
Acknowledgments
- Model Context Protocol specification by Anthropic
- Open source community contributors
- Security researchers and pen testers
- Enterprise customers for feedback and requirements
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.