The Model Context Protocol (MCP) has rapidly become the standard for connecting AI applications to external tools and data sources. Often described as "USB-C for AI," MCP enables powerful workflows where AI agents can interact with databases, APIs, file systems, and more through natural language commands. However, this power comes with significant security responsibilities.
As organizations rush to integrate MCP into their AI workflows, they're discovering that the protocol introduces a new attack surface that requires careful consideration. In this post, we'll explore the most pressing MCP security challenges and demonstrate how Nexus, the open-source AI router, provides enterprise-grade security controls to mitigate these risks.
Before diving into solutions, let's examine the key security challenges that emerge when implementing MCP:
MCP servers often run with broad permissions to access the resources they connect to. Without proper scoping, a compromised or malicious server could access data far beyond its intended purpose. This becomes particularly dangerous when servers have direct access to production databases, internal APIs, or sensitive file systems.
The principle of least privilege is often overlooked in early MCP implementations, where developers prioritize functionality over security boundaries. A server designed to read documentation might inadvertently have permissions to modify production data.
One of the most insidious threats facing MCP implementations is indirect prompt injection. Attackers can embed malicious instructions within data sources that the AI reads—such as emails, documents, or API responses. When the AI processes this content, it may interpret hidden commands that trigger unauthorized actions through MCP tools.
Tool poisoning takes this further by manipulating tool descriptions themselves. Since these descriptions are passed to the AI model to help it understand available capabilities, malicious instructions embedded in tool metadata can influence the AI's behavior without the user's knowledge.
Many MCP implementations struggle with proper authentication and authorization. Common anti-patterns include:
- Token passthrough: Accepting tokens without validating they were issued for the MCP server specifically
- Static credentials: Using the same credentials across all users or clients
- Missing token validation: Failing to verify token audience, scope, or expiration
- Insufficient access controls: Not implementing user-level or group-level permission boundaries
These weaknesses can lead to confused deputy attacks, where the MCP server acts on behalf of unauthorized parties or performs actions beyond its intended scope.
STDIO-based MCP servers that execute local commands are particularly vulnerable to command injection attacks. If user input flows directly into shell commands without proper sanitization, attackers can execute arbitrary code on the host system.
Similarly, servers that construct database queries, file paths, or API calls from untrusted input risk SQL injection, path traversal, and other classic injection vulnerabilities—now weaponized through AI-driven interfaces.
As developers build on MCP, they increasingly rely on third-party servers and libraries. Without proper vetting, these dependencies can introduce vulnerabilities, backdoors, or malicious code. The distributed nature of MCP ecosystems makes it difficult to maintain visibility into what code is actually running and what data it can access.
AI agents operating autonomously can trigger tool invocations at scale. Without rate limiting, a poorly designed prompt or a malicious injection attack could cause an AI to spam APIs, read thousands of files per second, or execute expensive operations repeatedly—leading to service degradation, cost overruns, or data exfiltration.
Over time, organizations connect MCP servers to more and more internal systems, creating an undocumented mesh of access paths. This "shadow access" makes it nearly impossible to understand your true security posture or maintain compliance with data governance policies.
Nexus was designed from the ground up to provide a secure, centralized control plane for MCP implementations. By acting as an intelligent proxy layer between AI applications and MCP servers, Nexus addresses the security challenges outlined above through several key mechanisms:
Rather than managing authentication separately for each MCP server, Nexus provides centralized authentication that works across your entire MCP ecosystem:
[server.oauth]
url = "https://your-auth-provider.com/.well-known/jwks.json"
expected_issuer = "https://auth.yourcompany.com"
expected_audience = "nexus-production"
[server.oauth.protected_resource]
resource = "https://nexus.example.com"
authorization_servers = ["https://your-auth-provider.com"]Nexus supports OAuth2 with JWT validation, ensuring that every request is authenticated and authorized before reaching any MCP server. This eliminates token passthrough vulnerabilities and provides a consistent security boundary.
Nexus tracks individual users and implements group-based access controls, enabling you to enforce different policies for different user tiers:
[server.client_identification]
enabled = true
client_id.jwt_claim = "sub"
group_id.jwt_claim = "plan"
# Free tier users get limited access
[mcp.servers.database.rate_limits.per_user.groups.free]
limit = 100
interval = "3600s"
# Enterprise users get higher limits
[mcp.servers.database.rate_limits.per_user.groups.enterprise]
limit = 10000
interval = "3600s"This granular control ensures that access to sensitive tools can be restricted based on user identity and organizational policies, preventing privilege escalation and ensuring compliance with data governance requirements.
Nexus implements multi-level rate limiting to prevent resource exhaustion and abuse:
- Global rate limits across all requests
- Per-server rate limits to protect individual backends
- Per-user rate limits to prevent individual abuse
- Per-tool rate limits for fine-grained control over specific operations
- Group-based limits for tiered access models
[mcp.servers.github]
url = "https://api.github.com/mcp"
# Global rate limit for this server
[mcp.servers.github.rate_limits]
limit = 1000
interval = "3600s"
# Tool-specific limits
[mcp.servers.github.rate_limits.tools]
search_code = { limit = 30, interval = "60s" }
create_issue = { limit = 10, interval = "60s" }These controls prevent runaway AI agents from overwhelming your infrastructure or generating excessive costs through repeated tool invocations.
Nexus eliminates hardcoded credentials and implements secure environment variable interpolation:
[mcp.servers.database]
cmd = ["psql-mcp"]
env = {
PGHOST = "{{ env.DB_HOST }}",
PGUSER = "{{ env.DB_USER }}",
PGPASSWORD = "{{ env.DB_PASSWORD }}"
}Credentials are never stored in configuration files and are injected at runtime from secure environment variables or secrets management systems. This reduces the risk of credential leakage through configuration files checked into version control.
For scenarios where MCP servers need to act on behalf of users with external APIs, Nexus supports OAuth2 token forwarding while enforcing proper validation:
[mcp.servers.internal]
url = "https://internal.company.com/mcp"
[mcp.servers.internal.auth]
type = "forward" # Forward user's OAuth2 tokenUnlike naive token passthrough, Nexus validates that tokens have the correct audience and scope before forwarding them, preventing confused deputy attacks.
Nexus enforces encrypted connections for production deployments:
[server.tls]
certificate = "/etc/nexus/cert.pem"
key = "/etc/nexus/key.pem"
[mcp.servers.api.tls]
verify_certs = true
ca_bundle = "/etc/nexus/ca-bundle.crt"This ensures that all communication between clients, Nexus, and MCP servers is encrypted, preventing man-in-the-middle attacks and credential interception.
Nexus implements connection caching to reduce latency while maintaining security:
[mcp.downstream_cache]
max_size = 1000
idle_timeout = "10m"Cached connections are scoped per-user and per-server, ensuring that cached state cannot leak between users while still providing performance benefits.
One of the most powerful security features Nexus provides is observability through OpenTelemetry integration:
[telemetry.exporters.otlp]
enabled = true
endpoint = "https://otlp.yourcompany.com:4317"
protocol = "grpc"This enables you to:
- Track every tool invocation back to the user who initiated it
- Detect anomalous patterns like unusual tool access or high-frequency requests
- Generate compliance reports showing who accessed what data and when
- Feed MCP activity into your SIEM for correlation with other security events
- Debug security incidents with full request traces
Visibility is the foundation of security. Without knowing what your MCP servers are doing, you cannot detect or respond to threats. Nexus makes every action observable and auditable.
Nexus aggregates multiple MCP servers while preventing tool name conflicts through automatic namespacing:
[mcp]
enabled = true
path = "/mcp"
[mcp.servers.github]
url = "https://api.github.com/mcp"
[mcp.servers.gitlab]
url = "https://gitlab.company.com/mcp"Tools are automatically namespaced (e.g., github__search_code and gitlab__search_code), preventing collisions and making it clear which server each tool belongs to. This reduces confusion and makes security policies easier to reason about.
To maximize security when deploying Nexus in production, follow these best practices:
Begin by granting the minimum permissions necessary for each MCP server. Nexus makes it easy to expand access later, but starting restrictive ensures you understand exactly what each server needs.
Use multiple security layers:
- OAuth2 authentication at the Nexus level
- Per-server authentication for sensitive backends
- Rate limiting at global, server, and tool levels
- TLS encryption for all connections
- Network segmentation and firewalls
Turn on OpenTelemetry integration from day one. Even if you're not actively monitoring, having logs and traces available when investigating an incident is invaluable.
[telemetry]
enabled = true
[telemetry.exporters.otlp]
endpoint = "https://otlp.yourcompany.com"Periodically review which MCP servers are connected, what permissions they have, and who can access them. Nexus's configuration-as-code approach makes this auditing straightforward.
Even with all technical controls in place, high-risk operations should require human approval. Configure your AI applications to prompt users before executing sensitive tool invocations like data deletion, financial transactions, or administrative actions.
Regularly update Nexus to benefit from security patches and new security features:
# Using the installation script
curl -fsSL https://nexusrouter.com/install | bash
# Or pull the latest Docker image
docker pull ghcr.io/grafbase/nexus:stableMaintain separate configurations for development, staging, and production:
# Development - permissive for faster iteration
nexus --config ./config/dev.toml
# Production - restrictive with full security
nexus --config ./config/prod.tomlDevelopment environments can have relaxed rate limits and authentication for easier testing, while production enforces strict controls.
The Model Context Protocol represents a fundamental shift in how AI applications interact with data and tools. As MCP adoption accelerates, organizations must prioritize security from the outset rather than treating it as an afterthought.
Nexus provides the security infrastructure necessary for enterprise MCP deployments, offering:
- Centralized authentication and authorization to eliminate token passthrough vulnerabilities
- Granular rate limiting to prevent resource exhaustion and abuse
- Observability to detect and respond to threats
- Secure credential management to prevent leakage
- TLS encryption to protect data in transit
- User tracking and tiered access to enforce organizational policies
By consolidating security controls into a single, well-designed proxy layer, Nexus allows you to secure your entire MCP ecosystem without modifying individual servers or AI applications.
Ready to secure your MCP infrastructure? Getting started with Nexus is straightforward:
# Install Nexus
curl -fsSL https://nexusrouter.com/install | bash
# Configure Nexus
cat > nexus.toml << EOF
[mcp.servers.github]
url = "https://api.github.com/mcp"
auth.token = "{{ env.GITHUB_TOKEN }}"
EOF
# Start Nexus
nexus --config nexus.tomlFor more detailed guidance, visit the Nexus documentation or explore the GitHub repository.
The future of AI applications lies in intelligent orchestration with robust security. Nexus provides the foundation to make that future both powerful and safe.