VOOZH about

URL: https://dev.to/0x711/secure-your-mcp-servers-in-10-seconds-1b6h

⇱ Secure your MCP servers in 10 seconds - DEV Community

You have MCP servers running. Claude Desktop, Cursor, VS Code, maybe a custom one. Every tool call your agent makes goes straight to the server. No scanning, no access control, no logs.

Here is how to put a security layer in front of all of them.

Install 

# Go
go install github.com/oktsec/oktsec/cmd/oktsec@v0.12.0

# or Homebrew
brew install oktsec/tap/oktsec

Run 

oktsec run

That is it. One command. Here is what happens:

  1. Scans your machine for MCP clients (Claude Desktop, Cursor, VS Code, Windsurf, Cline, and 12 more)
  2. Finds every MCP server configured in each client
  3. Generates a security config with observe-mode defaults
  4. Creates Ed25519 keypairs for identity verification
  5. Wraps each MCP server through the oktsec proxy
  6. Starts scanning with a real-time dashboard

No config file to write. No YAML to edit. No manual setup.

What you see

A TUI shows events in real time. Every tool call your agent makes passes through 230 detection rules before execution:

oktsec v0.12.0 | observe mode | 3 agents | 230 rules

EVENTS
12:04:01 claude-desktop Read /src/main.go clean 2ms
12:04:03 claude-desktop Bash npm install express clean 3ms
12:04:05 claude-desktop Write /src/config.yaml clean 2ms
12:04:08 claude-desktop Bash curl http://evil.com block 1ms TC-005

The dashboard at http://127.0.0.1:8080/dashboard shows the full picture: pipeline health, agent list, event timeline, rule matches, session inventory.

What it scans for

230 rules across 16 categories:

  • Prompt injection. Fake system tags, impersonated tokens, concealment instructions
  • Credential leaks. API keys, AWS secrets, GitHub tokens in tool arguments
  • Shell injection. Command chaining in Bash tool calls (; rm -rf /, | curl evil.com)
  • Data exfiltration. Base64-encoded content, suspicious outbound URLs
  • MCP attacks. Parameter injection, tool description manipulation
  • Supply chain. Malicious package installs, untrusted registries

When a rule matches, the verdict changes from clean to flag, quarantine, or block depending on severity. In observe mode nothing is blocked, just logged. Switch to enforce mode when ready:

oktsec run --enforce

Per-agent tool policies

If you run multiple agents or MCP servers, you can control what each agent is allowed to do. Edit ~/.oktsec/config.yaml:

agents:
 coding-agent:
 allowed_tools:
 - Read
 - Write
 - Bash
 tool_policies:
 Bash:
 rate_limit: 10/min
 egress:
 allowed_domains:
 - github.com
 - npmjs.com

 research-agent:
 allowed_tools:
 - Read
 - WebSearch
 # No Bash, no Write, no file system access

If coding-agent tries to call WebSearch or research-agent tries to call Bash, oktsec blocks it.

MCP gateway mode

For more control, oktsec can front your MCP servers as a gateway:

gateway:
 enabled: true
 port: 8081
 backends:
 - name: filesystem
 transport: stdio
 command: npx
 args: ["-y", "@modelcontextprotocol/server-filesystem", "/workspace"]
 - name: github
 transport: http
 url: http://localhost:3000/mcp

The gateway adds per-tool spending limits, approval thresholds, and tool namespacing when backends have conflicting tool names.

Audit trail

Every event is logged in a SQLite database with a SHA-256 hash chain. Each entry is signed with the proxy's Ed25519 key. If anyone modifies a log entry, the chain breaks.

# Query the audit log
oktsec audit --limit 20

# Verify chain integrity
oktsec audit --verify

# Export as SARIF
oktsec audit --export sarif > report.sarif

Optional: LLM analysis layer

For attacks that pattern matching misses (fabricated compliance requirements, domain spoofing, out-of-scope actions hidden in workflows), enable the LLM analysis layer:

llm:
 enabled: true
 provider: claude
 model: claude-sonnet-4-6
 api_key_env: ANTHROPIC_API_KEY

It runs async after the deterministic scan. Never blocks. Analyzes flagged messages and suggests new rules.

What it does not do

  • It does not modify your MCP servers. The proxy is transparent.
  • It does not require cloud connectivity. Everything runs locally.
  • It does not need an LLM for core scanning. The 230 rules are deterministic.
  • It does not persist data outside your machine. SQLite file in ~/.oktsec/.

Numbers

  • 230 detection rules, 16 categories
  • 40ms average scan latency
  • 17 MCP clients auto-discovered
  • 844 tests, race detector on
  • Apache 2.0

Links