Security

Security isn't just what we do—it's who we are.

Our Security Commitment

As a security company, we hold ourselves to the highest standards. We believe you can't protect others if you can't protect yourself. Here's how we secure MCPShield.

Infrastructure Security

Encryption

All data encrypted in transit via TLS 1.3 (Caddy with automatic Let's Encrypt certificates).

Network Security

Firewalls, DDoS protection, and network segmentation.

24/7 Monitoring

Continuous monitoring for threats and anomalies.

Application Security

  • Authentication: Short-lived JWTs in httpOnly SameSite=Lax cookies, bcrypt password hashing, double-submit CSRF protection, server-side token revocation on logout
  • API Keys: Cryptographically random, securely hashed storage
  • Rate Limiting: Protection against brute force and abuse
  • Input Validation: Strict validation on all inputs
  • SQL Injection: Parameterized queries through ORM
  • XSS Protection: React's built-in escaping and output encoding
  • CSRF Protection: Token-based protection on all mutations

Agent Security

Our agent is designed with privacy and security as core principles:

  • No Credential Capture: We NEVER capture actual secret values—only environment variable names
  • Local Config Storage: API keys stored with appropriate file permissions
  • Minimal Permissions: Agent only reads config files, nothing else
  • Secure Communication: All API calls over HTTPS
  • Open Scanning: We're transparent about what paths are scanned

Data Protection

  • Multi-Tenancy: Complete data isolation between organizations
  • Minimal Data: We only collect what's necessary for the service
  • Data Retention: Configurable retention policies, default 90 days for logs
  • Backup: Daily Postgres snapshots; self-hosters should configure their own backup strategy
  • Deletion: Complete data deletion upon account termination

Compliance

  • SOC2 Type II: Planned — not yet certified
  • GDPR: We collect minimal data and offer Data Processing Agreements on request. Full GDPR compliance audit is on the roadmap.
  • DPA: Data Processing Agreements available on request for paid plans

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:

Email: security@mcpshield.app

We commit to:

  • Acknowledge receipt within 24 hours
  • Provide regular updates on remediation progress
  • Not pursue legal action against good-faith reporters
  • Credit researchers who wish to be acknowledged

Security Updates

Our current security practices:

  • Automated dependency vulnerability scanning via GitHub Dependabot
  • Dependency updates and patching on each release
  • Security-focused code reviews on all pull requests
  • Penetration testing: planned for v1.0

Contact

For security concerns or questions:

security@mcpshield.app