All rules / MCP07

MCP07 — Authentication / Transport

high active

Summary

HTTP transports (StreamableHTTPServerTransport / express / fastify) exposed without bearer-token or auth middleware.

Detection

AST pattern match for HTTP transport instantiation; reports High when no authorization header check or auth middleware is registered. stdio-only servers are exempt.

Bad example

// BAD — HTTP transport with no auth
const transport = new StreamableHTTPServerTransport({ port: 3000 });
server.connect(transport);

Good example

// GOOD — bearer token enforced
app.use((req, res, next) => {
    if (req.headers.authorization !== `Bearer ${process.env.MCP_TOKEN}`) {
        return res.status(401).end();
    }
    next();
});

Fix

Require a bearer token (or mTLS) on every HTTP transport. Prefer stdio for local-only servers.

References

• OWASP MCP Top 10 — MCP07