🔐 MCP Gateway v0.3.1 - 2025-01-11 Security, XSS protection and Data Validation (Pydantic, UI)

[crivetimihai]

🔐 MCP Gateway v0.3.1 – 2025-01-11

This security-focused release delivers comprehensive input validation, output escaping, and data sanitization to protect against XSS and injection attacks when handling data from untrusted MCP servers. It also includes UI improvements and code quality enhancements.

🔒 Security First: Defense in Depth

This release prioritizes defense in depth with multiple layers of security validation:

• Input Validation Framework – Comprehensive validation for all API endpoints
• Output Escaping – HTML-escaped display of user-controlled content in UI
• Data Sanitization – Protection against XSS injection from untrusted MCP servers
• Secure Defaults – Admin UI and API disabled by default (development-only features)
• Automated Security Pipeline – 24+ security tools including CodeQL, Bandit, Trivy, and OSV-Scanner

Important: The Admin UI is for development only and must never be exposed in production. It's designed for localhost-only access with trusted MCP servers. For production, disable it completely and use only the REST API with proper authentication.
Beta Software Notice: MCP Gateway is in early beta. Expect breaking changes between minor versions. This is an OPEN SOURCE PROJECT with community-driven support and no official support from IBM.

✨ Highlights

• 🛡️ Comprehensive Security Hardening – Input validation for all /admin and main API endpoints with configurable rules ([Security]: Add input validation for /admin endpoints #339, [Security]: Add input validation for main API endpoints (depends on #339 /admin API validation) #340)
• 🔒 XSS Protection – Enhanced output handling ensures all user-controlled content is properly HTML-escaped ([Security]: Implement output escaping for user data in UI #336)
• ✅ Zero Lint Status – Resolved all 312 code quality issues across the web stack ([Security]: Eliminate all lint issues in web stack #338)
• 🔧 Test Connectivity Tool – New debugging feature to validate gateway connections ([Feature Request]: Test MCP Server Connectivity Debugging Tool #181)
• 💾 Persistent UI State – Filters and view preferences now persist across page refreshes ([Feature Request]: Persistent Admin UI Filter State #177)
• 🎨 Revamped UI Components – Metrics and version tabs rewritten for consistency
• 🧪 UI-Disabled Mode Support – Fixed unit tests to handle configurations with UI disabled ([Bug] Fix Unit Tests to Handle UI-Disabled Mode #378)
• 🏷️ Semantic Versioning – Version endpoint now includes proper semantic version, not just git revision ([Bug]: Fix Version Endpoint to Include Semantic Version (Not Just Git Revision) #369)

🚨 Important Limitations

• Not Multi-Tenant Ready – Deploy as single-tenant component; implement user isolation, RBAC, and resource management in your application layer - many of the features to support true multi-tenancy and additional security policies and tools are coming slated for release 0.7.0 - 0.8.0
• Admin UI is Development-Only – Never expose in production; build your own production UI with appropriate security controls
• Beta Software – Validate all MCP servers before connecting; expect breaking changes between releases

🆕 Added

Security Enhancements

• Comprehensive Input Validation Framework ([Security]: Add input validation for /admin endpoints #339, [Security]: Add input validation for main API endpoints (depends on #339 /admin API validation) #340):

  • All /admin endpoints validated – tools, resources, prompts, gateways, and servers
  • All non-admin API endpoints validated for consistent data integrity
  • Configurable validation rules with sensible defaults:
    • Character restrictions: names ^[a-zA-Z0-9_\-\s]+$, tool names ^[a-zA-Z][a-zA-Z0-9_]*$
    • URL scheme validation: http://, https://, ws://, wss://
    • JSON nesting depth limits (default: 10 levels)
    • Field-specific length limits (names: 255, descriptions: 4KB, content: 1MB)
    • MIME type validation for resources
  • Clear error messages guide users to correct input formats

• Enhanced Output Handling ([Security]: Implement output escaping for user data in UI #336):

  • All user-controlled content properly HTML-escaped in Admin UI
  • Protected fields: prompt templates, tool names/annotations, resource content, gateway configs
  • Ensures data displays as intended without unexpected behavior

Features

• Test MCP Server Connectivity Tool ([Feature Request]: Test MCP Server Connectivity Debugging Tool #181) – Debug and validate gateway connections from Admin UI
• Persistent Admin UI Filter State ([Feature Request]: Persistent Admin UI Filter State #177) – View preferences persist across refreshes
• Revamped UI Components – Metrics and version tabs rewritten for consistency

Fixes

• Unit Test Compatibility ([Bug] Fix Unit Tests to Handle UI-Disabled Mode #378) – Tests now properly handle UI-disabled mode configurations
• Version Endpoint Enhancement ([Bug]: Fix Version Endpoint to Include Semantic Version (Not Just Git Revision) #369) – Now includes semantic version (e.g., "0.3.1") not just git revision

🔄 Changed

• Code Quality Achievement ([Security]: Eliminate all lint issues in web stack #338):

  • Resolved all 312 code quality issues
  • Updated 14 JavaScript patterns
  • Corrected 2 HTML structure improvements
  • Standardized naming conventions
  • Removed unused code

• Security Defaults:

  • Admin UI disabled by default: MCPGATEWAY_UI_ENABLED=false
  • Admin API disabled by default: MCPGATEWAY_ADMIN_API_ENABLED=false
  • Update your .env file to explicitly enable these features

• Validation Configuration – New environment variables:

  VALIDATION_MAX_NAME_LENGTH=255
  VALIDATION_MAX_DESCRIPTION_LENGTH=4096
  VALIDATION_MAX_JSON_DEPTH=10
  VALIDATION_ALLOWED_URL_SCHEMES=["http://", "https://", "ws://", "wss://"]

• Performance – Validation overhead kept under 10ms per request

• Security Pipeline – Every PR now passes through 24+ automated security scans including:

  • SAST: CodeQL, Bandit, multiple type checkers
  • Dependency Scanning: OSV-Scanner, Trivy, npm audit
  • Container Security: Hadolint, Dockle, Trivy
  • Code Quality: Multiple linters ensuring maintainability

🔐 Security Notes

Defense in Depth Strategy

MCP Gateway is designed as one component in a comprehensive security strategy:

1. Upstream validation: Verify and trust all MCP servers before connection
2. Gateway validation: Input/output validation and sanitization (this release)
3. Downstream validation: Applications must implement their own security controls
4. Network isolation: Use firewalls and network policies
5. Monitoring: Implement logging and alerting for anomalies

Review Your Configuration

Admin features are now disabled by default for security:

MCPGATEWAY_UI_ENABLED=false        # Keep false in production
MCPGATEWAY_ADMIN_API_ENABLED=false # Keep false in production

Developer Security Tools

Run the same 24+ security scans locally that execute in CI/CD:

make pre-commit  # Run before every commit (includes Bandit)
make lint        # Full security and quality suite
make bandit      # Python security vulnerabilities
make trivy       # Container vulnerability scanning
make osv-scan    # Open source vulnerability database

📦 Upgrade Instructions (pypy)

1. Update your package:

   pip install --upgrade mcp-contextforge-gateway==0.3.1

2. Review security settings in your .env:

   # Copy from .env.example for secure defaults
   cp .env.example .env
   # Then enable only required features

📋 Production Deployment Checklist

When deploying MCP Gateway v0.3.1:

• Disable Admin UI (MCPGATEWAY_UI_ENABLED=false)
• Disable Admin API (MCPGATEWAY_ADMIN_API_ENABLED=false)
• Enable authentication for all endpoints
• Configure TLS/HTTPS with valid certificates
• Validate all MCP servers before connection
• Implement downstream validation in your applications
• Set up monitoring and anomaly detection
• Review validation rules for your use case

See the full Security Policy for complete deployment guidelines.

👥 Contributors

This security-focused release was delivered through excellent teamwork. Some of the items closed in 0.3.1 include:

• Security Implementation – Input validation framework ([Security]: Add input validation for /admin endpoints #339, [Security]: Add input validation for main API endpoints (depends on #339 /admin API validation) #340) and output escaping ([Security]: Implement output escaping for user data in UI #336)
• Code Quality – Achieved zero lint status across 312 issues ([Security]: Eliminate all lint issues in web stack #338)
• Testing Improvements – UI-disabled mode support ([Bug] Fix Unit Tests to Handle UI-Disabled Mode #378)
• Version Enhancement – Semantic versioning in API ([Bug]: Fix Version Endpoint to Include Semantic Version (Not Just Git Revision) #369)
• UI/UX Features – Test connectivity tool ([Feature Request]: Test MCP Server Connectivity Debugging Tool #181) and persistent filter state ([Feature Request]: Persistent Admin UI Filter State #177)

Special thanks to all contributors who helped make MCP Gateway more secure and robust!

---

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.3.1
• 🐍 PyPI: mcp-contextforge-gateway
• 📈 Full changelog: Compare v0.3.0…v0.3.1

---

This discussion was created from the release 🔐 MCP Gateway v0.3.1 - 2025-01-11 Security, XSS protection and Data Validation (Pydantic, UI).