DEV Community: Vikrant Kumar The latest articles on DEV Community by Vikrant Kumar (@vikrantwiz02). https://dev.to/vikrantwiz02 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3918163%2Fa6d03407-a3e9-487b-b6bf-895d08472fe6.png DEV Community: Vikrant Kumar https://dev.to/vikrantwiz02 en Why an MCP Security Library Beats a Security Proxy Vikrant Kumar Thu, 07 May 2026 14:18:35 +0000 https://dev.to/vikrantwiz02/why-an-mcp-security-library-beats-a-security-proxy-11o2 https://dev.to/vikrantwiz02/why-an-mcp-security-library-beats-a-security-proxy-11o2 <h2> The Problem Nobody Talks About </h2> <p>AI agents are getting powerful fast. With the Model Context Protocol (MCP), a single agent can read your files, call external APIs, execute shell commands, and query databases — all in one conversation.</p> <p>That power is exactly why security matters. But when you look at how most developers are trying to secure MCP today, there's a pattern worth questioning.</p> <h2> The Proxy Approach (and Its Hidden Cost) </h2> <p>Most MCP security tools today work as a <strong>proxy</strong> — a separate process that sits between your AI model and your MCP server, intercepting every request.</p> <p>It sounds clean on paper. In practice, it means:</p> <ul> <li> <strong>Extra infrastructure to deploy and keep running</strong> — one more service to monitor, restart, and update</li> <li> <strong>Network latency on every single tool call</strong> — every request makes an extra hop before it executes</li> <li> <strong>Another failure point</strong> — if the proxy goes down, your entire tool execution goes down with it</li> <li> <strong>A different language</strong> — most proxy-based tools are written in Python, so TypeScript/Node.js developers are working across a language boundary they didn't ask for</li> </ul> <p>The proxy approach made sense when MCP was new and people were experimenting. But for production systems, embedding security directly in your server code is a better architecture.</p> <h2> The Library Approach </h2> <p>That's the philosophy behind <strong>mcp-warden</strong> — a TypeScript library that adds a security middleware chain directly inside your existing MCP server. No separate process. No deployment complexity. No network overhead.</p> <p>You import it, wrap your handler, and your server has a full security layer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">McpGuardian</span><span class="p">,</span> <span class="nx">PolicyBuilder</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">mcp-warden</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">policy</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PolicyBuilder</span><span class="p">()</span> <span class="p">.</span><span class="nf">allow</span><span class="p">(</span><span class="dl">"</span><span class="s2">read_file</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">allow</span><span class="p">(</span><span class="sr">/^search_/</span><span class="p">)</span> <span class="p">.</span><span class="nf">block</span><span class="p">(</span><span class="dl">"</span><span class="s2">/etc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">readOnly</span><span class="p">(</span><span class="dl">"</span><span class="s2">/home</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">rateLimit</span><span class="p">(</span><span class="mi">60</span><span class="p">)</span> <span class="p">.</span><span class="nf">build</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">guardian</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">McpGuardian</span><span class="p">(</span><span class="nx">policy</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">guardedHandler</span> <span class="o">=</span> <span class="nx">guardian</span><span class="p">.</span><span class="nf">wrapHandler</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// your existing handler logic — unchanged</span> <span class="k">return</span> <span class="nx">yourMcpServer</span><span class="p">.</span><span class="nf">handle</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>That's it. Every tool call now passes through a full security pipeline before your handler touches it.</p> <h2> What the Pipeline Actually Does </h2> <p>When a request arrives, mcp-warden runs it through 8 built-in checks in sequence. The first failure short-circuits — nothing downstream executes.</p> <p><strong>1. Tool authorization</strong> — is this tool on the allowlist? Supports exact names and regex patterns.</p> <p><strong>2. Input size limits</strong> — are the arguments within nesting depth and byte size limits? Oversized payloads are blocked before any parsing happens.</p> <p><strong>3. Argument schema validation</strong> — do the arguments match the declared shape for this tool? You define the schema per tool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">.</span><span class="nf">argSchema</span><span class="p">(</span><span class="dl">"</span><span class="s2">create_file</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">object</span><span class="dl">"</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">path</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">content</span><span class="dl">"</span><span class="p">],</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span><span class="p">,</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">1</span> <span class="p">},</span> <span class="na">content</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span><span class="p">,</span> <span class="na">maxLength</span><span class="p">:</span> <span class="mi">65536</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>If the AI sends <code>create_file</code> with a missing <code>path</code>, it's blocked before execution.</p> <p><strong>4. Path enforcement</strong> — does this call touch a restricted filesystem path?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">.</span><span class="nf">block</span><span class="p">(</span><span class="dl">"</span><span class="s2">/etc</span><span class="dl">"</span><span class="p">)</span> <span class="c1">// all access denied</span> <span class="p">.</span><span class="nf">readOnly</span><span class="p">(</span><span class="dl">"</span><span class="s2">/home</span><span class="dl">"</span><span class="p">)</span> <span class="c1">// reads allowed, writes denied</span> </code></pre> </div> <p><strong>5. Approval gating</strong> — if <code>approvalRequired: true</code>, every tool call returns <code>REQUIRES_APPROVAL</code> until a human signs off.</p> <p><strong>6. Rate limiting</strong> — global sliding window plus optional per-tool overrides, implemented with an O(1) circular buffer.</p> <p><strong>7. Prompt injection scanning</strong> — scans all tool arguments for known injection phrases using word-boundary regex to avoid false positives.</p> <p><strong>8. Circuit breaker</strong> — if a tool keeps failing, its circuit opens automatically and stays open until cooldown expires. Idle circuits are evicted from memory to prevent leaks.</p> <h2> Observability Built In </h2> <p>After every request — allowed or blocked — the guardian emits a typed event:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">guardian</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">blocked</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">"</span><span class="s2">Tool call blocked</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">tool</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">toolName</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">reason</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">violationCode</span><span class="p">,</span> <span class="na">durationMs</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">durationMs</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">guardian</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">allowed</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">metrics</span><span class="p">.</span><span class="nf">increment</span><span class="p">(</span><span class="dl">"</span><span class="s2">tool.call</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">tool</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">toolName</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>No polling. No separate log parser. Security events flow directly into your existing observability stack.</p> <h2> PII Redaction on Outputs </h2> <p>Tool responses can contain sensitive data — emails, API keys, IP addresses, phone numbers. mcp-warden automatically strips them from every tool response before returning to the caller, in a single combined regex pass:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Tool returns: "Contact alice@company.com, key: sk-ABCDEF12345678"</span> <span class="c1">// Guardian returns: "Contact [REDACTED], key: [REDACTED]"</span> </code></pre> </div> <p>Opt out if you need raw outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nc">McpGuardian</span><span class="p">(</span><span class="nx">policy</span><span class="p">,</span> <span class="p">{</span> <span class="na">redactToolOutputs</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> </code></pre> </div> <h2> Zero Runtime Dependencies </h2> <p>The entire library ships with zero runtime dependencies. No supply chain risk from third-party packages. The validator, rate limiter, circuit breaker, injection scanner, and PII redactor are all built from scratch in pure TypeScript.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>mcp-warden <span class="c"># installs nothing else</span> </code></pre> </div> <h2> CLI Tools for Config Auditing </h2> <p>If you work with <code>claude_desktop_config.json</code> or any MCP client config, the CLI can audit it for dangerous permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx mcp-warden audit ./claude_desktop_config.json </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">SAFE</span><span class="pi">:</span> <span class="s">filesystem-server</span> <span class="na">CRITICAL</span><span class="pi">:</span> <span class="s">code-runner</span> <span class="s">- Command-line flags indicate unrestricted filesystem access.</span> </code></pre> </div> <p>Watch mode re-audits automatically every time you save the file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx mcp-warden audit <span class="nt">--watch</span> ./claude_desktop_config.json </code></pre> </div> <p>Validate a policy file before deploying it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx mcp-warden validate ./mcp-policy.json <span class="c"># SAFE: mcp-policy.json is a valid GuardianPolicy.</span> </code></pre> </div> <p>Generate a JSON Schema for IDE autocomplete:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx mcp-warden schema <span class="nt">--output</span> mcp-policy.schema.json </code></pre> </div> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>mcp-warden </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">McpGuardian</span><span class="p">,</span> <span class="nx">PolicyBuilder</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">mcp-warden</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">policy</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PolicyBuilder</span><span class="p">()</span> <span class="p">.</span><span class="nf">allow</span><span class="p">(</span><span class="dl">"</span><span class="s2">read_file</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">block</span><span class="p">(</span><span class="dl">"</span><span class="s2">/etc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">rateLimit</span><span class="p">(</span><span class="mi">60</span><span class="p">)</span> <span class="p">.</span><span class="nf">build</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">guardian</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">McpGuardian</span><span class="p">(</span><span class="nx">policy</span><span class="p">);</span> <span class="nx">guardian</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">blocked</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">reason</span><span class="p">));</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="nx">guardian</span><span class="p">.</span><span class="nf">wrapHandler</span><span class="p">(</span><span class="nx">yourExistingHandler</span><span class="p">);</span> </code></pre> </div> <p>Full docs and source: <a href="https://github.com/vikrantwiz02/mcp-warden" rel="noopener noreferrer">github.com/vikrantwiz02/mcp-warden</a><br> npm: <a href="https://www.npmjs.com/package/mcp-warden" rel="noopener noreferrer">npmjs.com/package/mcp-warden</a></p> <p><em>If you're building MCP servers in TypeScript and care about what your AI is actually allowed to do — I'd love your feedback.</em></p> ai architecture mcp security