Twelve concrete controls — tool allowlists, output sanitisation, signed manifests, rate limiting, audit logs, secret scoping — mapped to the live 2026 attack families: RCE in the Anthropic SDK, marketplace poisoning, zero-click in IDEs. Treat every connector like a third-party SaaS integration.

MCP — the Model Context Protocol — became a real attack surface in April 2026 when a remote-code-execution flaw was disclosed in Anthropic's official SDKs (Python, TypeScript, Java, Rust) affecting around 7,000 publicly exposed servers. The protocol is open, the SDKs are widely used, and most production deployments were running with the defaults. Defaults are the problem.

What follows is the 12-point checklist we walk teams through before any MCP server connects to production data or production AI. None of it is novel — it is the same hardening you would do for any third-party integration, applied to a class of integration that most teams treated as an internal tool.

The 12 controls

  1. Allowlist your tools. Default to deny. Every tool the server exposes is a potential injection vector. Enumerate exactly which ones the model can call.
  2. Sanitise outputs. The model cannot tell a tool result from a prompt injection embedded in the result. If the tool returns user-supplied text, sanitise before returning.
  3. Verify signed manifests. When you install a connector, check the manifest signature. Marketplace poisoning is a real attack — 9 of 11 MCP registries were demonstrated vulnerable in 2026.
  4. Rate-limit per session. Cap the calls/minute and tokens/minute per session. Without this, a stuck loop can run up six-figure bills in a day.
  5. Audit log every call. Tool name, arguments, result, session, user. If you do not have this log when something goes wrong, you cannot tell what happened.
  6. Scope secrets to the call. Each tool gets the minimum credential to do its job. Never expose your master API key to a tool that only needs read access.
  7. Set resource quotas. CPU, memory, and runtime caps per call. Malicious or buggy tools can hang or blow up; the harness should not.
  8. HTTP-only auth, no query params. Authentication tokens belong in headers. Never accept credentials in URL query strings — they leak to logs, referers, and proxies.
  9. Lock down network egress. The MCP server should only be able to reach the destinations it legitimately needs. SSRF via tool input has been demonstrated.
  10. Pin your dependencies. The April 2026 RCE was a supply-chain class. Pin the SDK version; review every upgrade.
  11. Guard model sampling. If your tool can recursively call the model, set hard recursion caps. Agent loops are where the autonomy bills get scary.
  12. Monitor your supply chain. Watch for advisories on the SDKs and registries you depend on. Anthropic shipped a critical SDK update in April 2026 that some teams discovered weeks later.
Treat every MCP connector like a third-party SaaS integration with full procurement review. Because that is what it is.

Anthropic's position

In April 2026 Anthropic declined to modify the protocol in response to several disclosed vulnerabilities, calling the affected behaviour "expected." Teams running MCP at scale need to take that statement seriously: the protocol layer is not going to defend you. Defence sits in your harness, your sandbox, and your supply chain discipline.

Where to start

If you have one MCP server in production, walk the checklist this week. If you have several, prioritise by which ones touch sensitive data and which run elevated permissions. The work is not exciting and will probably never have a victory lap. The teams that did it before April 2026 were also not the teams paged at 3am that month.

Or skip ahead and talk through it directly