We take the security of MCP Generator 3.x seriously. If you discover a security vulnerability, please follow these steps:

Please do not report security vulnerabilities through public GitHub issues.

Send an email to: max.nussbaumer@maxhealth.tech

Include the following information:

• Type of vulnerability
• Full paths of affected source files
• Location of the affected code (tag/branch/commit/URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue (what an attacker could do)

• Acknowledgment: You'll receive a response within 48 hours
• Updates: We'll keep you informed about our progress
• Timeline: We aim to release fixes within 7-14 days for critical issues
• Credit: If you wish, we'll credit you in the security advisory

The MCP servers generated by this tool:

• Token Handling: Tokens are passed to backend APIs for validation
• JWT Validation: Optional JWT validation can be enabled for HTTP mode
• No Token Storage: Tokens are never persisted to disk
• Session Management: HTTP sessions are memory-only by default

• STDIO Mode: Uses API_TOKEN environment variable
• HTTP Mode: Supports Bearer token authentication
• JWT Validation: JWKS-based public key verification
• Scope Enforcement: Optional scope checking middleware

When using generated servers:

1. Always use HTTPS in production for HTTP transport
2. Validate tokens at your backend API
3. Use environment variables for sensitive data (never hardcode)
4. Enable JWT validation (--validate-tokens) for HTTP mode in production
5. Keep dependencies updated regularly
6. Review generated code before deploying to production
7. Use strong secrets for JWT signing
8. Implement rate limiting at the infrastructure level
9. Monitor logs for suspicious activity
10. Follow the principle of least privilege for API tokens

• Generated servers pass tokens to backend APIs without local validation by default (unless --validate-tokens is enabled)
• STDIO mode assumes the local client (e.g., Claude Desktop) is trusted
• Event store for SSE is in-memory only (not suitable for multi-instance deployments without external store)

Security updates will be:

• Released as patch versions (3.1.X)
• Documented in CHANGELOG.md
• Announced via GitHub Security Advisories
• Tagged with security labels in release notes

This security policy applies to:

• ✅ The MCP Generator tool itself (mcp_generator/ package)
• ✅ Generated authentication middleware
• ✅ Generated server code patterns
• ❌ Third-party dependencies (report to their respective projects)
• ❌ Your custom OpenAPI specifications
• ❌ Your backend API implementations

• We follow coordinated disclosure
• We'll work with you to understand and fix the issue
• We'll publicly disclose after a fix is available
• We'll credit researchers who report responsibly

When deploying generated MCP servers:

• Use HTTPS for HTTP transport
• Enable --validate-tokens for production HTTP mode
• Set strong, random API_TOKEN values
• Never commit tokens or secrets to version control
• Use proper JWKS endpoints for JWT validation
• Implement proper logging and monitoring
• Keep all dependencies updated
• Review and test authentication flows
• Implement rate limiting
• Use proper CORS configuration for HTTP mode
• Regularly rotate tokens and secrets

• OWASP Top 10
• OAuth 2.0 Security Best Practices
• JWT Security Best Practices

For security issues: max.nussbaumer@maxhealth.tech

For general support: GitHub Issues

Thank you for helping keep MCP Generator 3.x and its users safe!