Waygate MCP

SECURITY.md•12.6 KiB

# Security Policy ## Security Overview Waygate MCP is designed with security as a foundational principle. This document outlines our security practices, vulnerability reporting procedures, and security considerations for deployment and development. ## Table of Contents - [Supported Versions](#supported-versions) - [Security Features](#security-features) - [Reporting Vulnerabilities](#reporting-vulnerabilities) - [Security Architecture](#security-architecture) - [Deployment Security](#deployment-security) - [Development Security](#development-security) - [Security Testing](#security-testing) - [Incident Response](#incident-response) ## Supported Versions We actively maintain security updates for the following versions: | Version | Supported | End of Life | | ------- | ------------------ | ----------- | | 2.x.x | ✅ Active Support | TBD | | 1.x.x | ⚠️ Security Only | Dec 2025 | | < 1.0 | ❌ No Support | Ended | ## Security Features ### Container Security Our Docker deployment implements defense-in-depth security: #### Process Isolation - **Non-root execution**: Containers run as UID 1000 (waygate user) - **Read-only filesystem**: Root filesystem mounted read-only - **No new privileges**: `--security-opt no-new-privileges:true` - **Dropped capabilities**: All Linux capabilities dropped #### Resource Protection - **Memory limits**: 1GB maximum memory allocation - **CPU limits**: 2 CPU cores maximum - **PID limits**: Maximum 512 processes - **Temporary filesystem**: tmpfs for /tmp with 100MB limit #### Network Security - **Custom bridge network**: Isolated container networking - **Port restrictions**: Only exposed ports accessible - **No privileged mode**: Never runs with `--privileged` ### Application Security #### Authentication & Authorization - **API Key Management**: Secure key generation and validation - **Permission System**: Role-based access control - **Rate Limiting**: Request throttling per client - **Session Security**: Secure session handling #### Data Protection - **Input Validation**: Comprehensive parameter sanitization - **SQL Injection Prevention**: Parameterized queries only - **XSS Protection**: Content Security Policy headers - **CORS Configuration**: Strict origin validation #### Secrets Management - **Environment Variables**: Secrets via secure env vars - **Secret Rotation**: Support for credential rotation - **No Hardcoded Secrets**: Zero secrets in source code - **Audit Logging**: Comprehensive access logging ### Database Security #### Turso Edge Database - **Encrypted Connections**: TLS 1.3 for all connections - **Authentication Tokens**: Secure token-based auth - **Audit Logging**: Complete query audit trail - **Backup Encryption**: Encrypted backups at rest #### Local SQLite Fallback - **File Permissions**: Restrictive file permissions (600) - **WAL Mode**: Write-ahead logging for consistency - **Backup Strategy**: Regular encrypted backups ## Reporting Vulnerabilities ### Responsible Disclosure We take security vulnerabilities seriously. Please follow responsible disclosure: #### How to Report 1. **Email**: Send detailed report to `security@waygatemcp.com` 2. **Encryption**: Use our PGP key for sensitive reports 3. **Subject Line**: `[SECURITY] Vulnerability Report - [Brief Description]` #### What to Include - **Vulnerability Type**: Classification (OWASP category) - **Affected Versions**: Specific version numbers - **Attack Vector**: How the vulnerability can be exploited - **Impact Assessment**: Potential damage and scope - **Proof of Concept**: Safe demonstration (if applicable) - **Suggested Fix**: Remediation recommendations #### Example Report ``` Subject: [SECURITY] SQL Injection in MCP Tool Execution Vulnerability Type: SQL Injection (A03:2021) Affected Versions: 2.0.0 - 2.1.3 Severity: High Description: The execute_tool function in mcp_integration.py does not properly sanitize the tool_name parameter, allowing SQL injection attacks. Attack Vector: POST /mcp/execute with malicious tool_name parameter: {"tool_name": "test'; DROP TABLE config; --"} Impact: - Database corruption - Data exfiltration - Privilege escalation Proof of Concept: [Safe demonstration steps] Suggested Fix: Use parameterized queries with bound parameters in all database calls. ``` ### Response Timeline | Timeframe | Action | |-----------|--------| | 24 hours | Initial acknowledgment | | 72 hours | Vulnerability assessment | | 7 days | Mitigation plan | | 30 days | Security patch release | | 90 days | Public disclosure (if agreed) | ### Bounty Program We appreciate security researchers and offer recognition: - **Hall of Fame**: Public recognition for valid findings - **Swag**: Waygate MCP merchandise for significant findings - **Reference**: LinkedIn recommendations for career impact ## Security Architecture ### Threat Model #### Assets - **MCP Server**: Core application and data - **Database**: Configuration and operational data - **API Keys**: Authentication credentials - **Container Runtime**: Docker infrastructure #### Threats - **Network Attacks**: DDoS, MITM, eavesdropping - **Application Attacks**: Injection, XSS, CSRF - **Container Escape**: Privilege escalation - **Data Breaches**: Unauthorized data access #### Mitigations - **Defense in Depth**: Multiple security layers - **Principle of Least Privilege**: Minimal permissions - **Security by Default**: Secure default configurations - **Fail Secure**: Secure failure modes ### Security Controls #### Detective Controls - **Audit Logging**: Comprehensive event logging - **Monitoring**: Real-time security monitoring - **Intrusion Detection**: Anomaly detection - **Health Checks**: Security posture validation #### Preventive Controls - **Access Controls**: Authentication and authorization - **Input Validation**: Data sanitization - **Network Segmentation**: Container isolation - **Encryption**: Data protection in transit and at rest #### Corrective Controls - **Incident Response**: Automated response procedures - **Backup Recovery**: Secure backup restoration - **Patch Management**: Rapid security updates - **Forensic Analysis**: Security incident investigation ## Deployment Security ### Production Deployment #### Environment Security ```bash # Secure environment variables export WAYGATE_SECRET_KEY=$(openssl rand -hex 32) export DATABASE_URL="libsql://secure-endpoint?authToken=secret" # Security-hardened deployment docker-compose --profile security up -d ``` #### Network Security ```nginx # Nginx security headers add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; add_header Content-Security-Policy "default-src 'self'"; ``` #### SSL/TLS Configuration ```yaml # SSL-enabled deployment services: nginx: environment: - SSL_CERT_PATH=/certs/waygate.crt - SSL_KEY_PATH=/certs/waygate.key volumes: - ./certs:/certs:ro ``` ### Security Checklist #### Pre-Deployment - [ ] Security scan with Bandit - [ ] Dependency vulnerability check with Safety - [ ] Container image scan with Trivy - [ ] Secret detection with detect-secrets - [ ] SAST analysis with Semgrep #### Post-Deployment - [ ] SSL certificate validation - [ ] Network connectivity testing - [ ] Health endpoint verification - [ ] Log aggregation setup - [ ] Monitoring dashboard configuration ## Development Security ### Secure Development Lifecycle #### Requirements Phase - Security requirements definition - Threat modeling and risk assessment - Compliance requirements analysis #### Design Phase - Security architecture review - Data flow analysis - Attack surface assessment #### Implementation Phase - Secure coding practices - Static analysis integration - Peer code review #### Testing Phase - Security testing automation - Penetration testing - Vulnerability assessment #### Deployment Phase - Security configuration validation - Runtime security monitoring - Incident response preparation ### Security Tools Integration #### CI/CD Security Pipeline ```yaml # GitHub Actions security workflow - name: Security Scan run: | bandit -r source/ -f sarif -o bandit.sarif safety check --json --output safety.json semgrep --config=.semgrep.yml source/ ``` #### Pre-commit Hooks ```bash # Install security pre-commit hooks pip install pre-commit pre-commit install # Security checks before each commit bandit --severity-level medium source/ safety check detect-secrets scan --all-files ``` ## Security Testing ### Automated Security Testing #### Static Analysis ```bash # Code security analysis bandit -r source/ --severity-level medium --confidence-level medium # Dependency vulnerability scanning safety check --policy-file .safety-policy.json # Custom security rules semgrep --config=.semgrep.yml source/ ``` #### Dynamic Analysis ```bash # Container security scanning docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy image waygate-mcp:latest # Network security testing nmap -sV -O localhost -p 8000 # SSL/TLS testing testssl.sh --vulnerable https://waygate.example.com ``` ### Manual Security Testing #### Authentication Testing - Token validation and expiration - Session management verification - Authorization bypass attempts #### Input Validation Testing - SQL injection attempts - XSS payload testing - Command injection verification #### Infrastructure Testing - Container escape attempts - Network segmentation validation - Privilege escalation testing ## Incident Response ### Security Incident Classifications #### Severity Levels | Level | Description | Response Time | Examples | |-------|-------------|---------------|----------| | Critical | Active exploitation | 1 hour | Data breach, RCE | | High | Immediate risk | 4 hours | Auth bypass, SQLi | | Medium | Potential risk | 24 hours | XSS, weak crypto | | Low | Minor issue | 7 days | Info disclosure | ### Response Procedures #### Immediate Response (0-1 hours) 1. **Containment**: Isolate affected systems 2. **Assessment**: Determine scope and impact 3. **Communication**: Notify stakeholders 4. **Documentation**: Begin incident log #### Investigation (1-24 hours) 1. **Forensics**: Collect evidence and logs 2. **Root Cause**: Identify vulnerability source 3. **Timeline**: Reconstruct attack sequence 4. **Impact**: Assess damage and exposure #### Recovery (24-72 hours) 1. **Remediation**: Apply security fixes 2. **Validation**: Verify fix effectiveness 3. **Restoration**: Restore normal operations 4. **Monitoring**: Enhanced surveillance #### Post-Incident (1-2 weeks) 1. **Lessons Learned**: Identify improvements 2. **Process Updates**: Revise procedures 3. **Training**: Update security awareness 4. **Disclosure**: Public communication (if needed) ### Contact Information #### Security Team - **Primary**: security@waygatemcp.com - **Emergency**: +1-555-SECURITY (24/7) - **PGP Key**: [security-team.asc](security-team.asc) #### Escalation Chain 1. **Security Engineer**: First response 2. **Security Manager**: Critical incidents 3. **CISO**: Public disclosure decisions 4. **Legal**: Regulatory compliance ## Compliance and Standards ### Security Standards - **OWASP Top 10**: Web application security - **NIST Cybersecurity Framework**: Risk management - **CIS Controls**: Implementation guidance - **ISO 27001**: Information security management ### Compliance Requirements - **GDPR**: Data protection regulation - **SOC 2**: Service organization controls - **PCI DSS**: Payment card industry (if applicable) - **HIPAA**: Healthcare information (if applicable) ## Security Resources ### Internal Resources - [Security Architecture Documentation](01-docs/security/) - [Threat Modeling Templates](01-docs/security/threat-models/) - [Security Training Materials](01-docs/security/training/) ### External Resources - [OWASP Application Security](https://owasp.org/) - [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) - [Docker Security Best Practices](https://docs.docker.com/engine/security/) - [Python Security Guidelines](https://python.org/dev/security/) ## Security Updates ### Notification Channels - **Security Advisories**: GitHub Security Advisories - **Mailing List**: security-announce@waygatemcp.com - **RSS Feed**: https://waygatemcp.com/security.rss - **Twitter**: @WaygateMCP_Security ### Update Procedures 1. **Assessment**: Evaluate security impact 2. **Development**: Create security patches 3. **Testing**: Validate fix effectiveness 4. **Release**: Deploy security updates 5. **Notification**: Inform users and stakeholders --- **Security is a shared responsibility. Thank you for helping keep Waygate MCP secure!** *Last updated: September 29, 2025* *Version: 2.0*

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jeremylongshore/waygate-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

SECURITY.md•12.6 KiB