Add Concrete Gateway Examples to Security Documentation
Closed this issue · 4 comments
Hey there!
For context, I just read this great piece from your team on The New Stack.
The current security guidance in the repo consists of a brief warning under "Option 6: Running as an HTTP Server" with a few bullet points of high-level advice like "implement authentication (e.g., API gateway, reverse proxy)" and "never expose directly to the internet." While this guidance is solid, it doesn't show users what these recommendations actually look like in practice.
The MCP security best practices specifically discuss "MCP Proxy Server" architectures and emphasize proper authentication controls, while multiple security analyses recommend "Consider an MCP gateway: Centralizing MCP Server usage through a proxy will allow a single point of control for audit logging and monitoring, as well as guardrails and governance controls." This would just be showing users how to implement that guidance with concrete examples.
How about adding a "Gateway Examples" section that shows specific implementations? This would make the existing guidance way more actionable for users.
Here's what this could look like:
Gateways
Pomerium (Open Core)
- Identity-aware proxy specifically designed for zero-trust access
- Has dedicated MCP documentation
- Supports all major identity providers (Azure AD, Google, Okta, etc.)
- Example configuration:
routes:
- from: https://mongodb-mcp.your-domain.com
to: http://localhost:3000
name: MongoDB MCP Server
mcp:
server: {} # the brackets are significant, they indicate that this is an MCP server route
policy:
and:
- domain:
is: company.com
- mcp_tool:
starts_with: 'read_'This section could be expanded with additional gateway solutions as the community contributes examples:
- Google Cloud Identity-Aware Proxy
- AWS Application Load Balancer with authentication
- Cloudflare Access
- Other reverse proxy solutions with authentication
Why This Helps
- Makes existing guidance actionable - users get concrete examples instead of just "use a gateway"
- Addresses AI agent risks - IAPs are particularly good at the continuous verification that agents need
- Open ecosystem - creates a structure where the community can contribute other gateway examples
- Builds on MCP momentum - leverages the fact that both MCP and many gateway solutions are open source
I'd be happy to put up a PR for this to get the ball rolling, if this sounds useful. The goal would be creating something that's immediately helpful but also easy for others to extend with additional gateway options.
Thanks for opening this issue. The ticket MCP-100 was created for internal tracking.
Hey @nickytonline,
thanks a lot for opening the issue!
We are working on improving our documentation on best practices and security guidelines so users can deploy properly the remote HTTP Transport of the MCP Server. We are still considering if we want to provide IaC templates because each user infrastructure can be completely different and we still have to think how to handle this in our docs to avoid proposing something that might be outdated or not aligned with best practices for everyone.
If you have a suggestion, please feel free to open a PR. We will try to be as responsive as possible and provide feedback.
Hi @kmruiz! Thanks for the prompt reply! I'm just heading back from BlackHat, so will look at this in the next day or so.
The corresponding JIRA ticket has been automatically closed.