This is a secure, production-ready server implementing the Model Context Protocol (MCP) with Server-Sent Events (SSE). It provides a comprehensive example of how to build, secure, and test an MCP server with proper security practices.
- Weather Tool: Get current weather for any city using wttr.in API
- Math Tool: Simple addition functionality
- Secret Word Tool: Generate random words
- Security Hardened: Comprehensive security testing and validation
- Production Ready: Docker support and proper error handling
python -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activatepip install -r requirements.txt# Use the safe startup script (recommended)
./start_server.sh
# Or start manually
python server.pyThe server will start on http://localhost:8080 by default.
This server has been comprehensively tested for security vulnerabilities and is production-ready.
# Basic security test (recommended)
python3 simple_test.py
# Comprehensive MCP protocol test
python3 test_client.py
# Advanced security analysis
python3 security_test.py- Input Validation: All malicious payloads are properly rejected
- Endpoint Protection: Undefined endpoints return 404
- Protocol Enforcement: MCP protocol properly enforced
- External API Security: Safe integration with weather API
- Error Handling: Graceful error handling and logging
DON'T DO THIS:
# β This will NOT work - MCP is not a REST API
curl http://localhost:8080/tool/get_current_weather?city=AmsterdamDO THIS INSTEAD: Use proper MCP clients (like Cursor, Claude Desktop) that implement the JSON-RPC 2.0 protocol.
MCP tools require:
- JSON-RPC 2.0 protocol
- Proper session management
- Structured message format
- MCP-compatible client
Add to your mcp.json file:
{
"demo-mcp": {
"url": "https://your-domain.com/sse"
}
}Add to your MCP configuration:
{
"mcpServers": {
"demo-mcp": {
"url": "https://your-domain.com/sse"
}
}
}Important: Replace your-domain.com with your actual server domain and use HTTPS in production.
# Build the container
docker build -t mcp-server .
# Run the container
docker run -p 8080:8080 mcp-serverFor deployment on cloud platforms, make sure to:
- Use HTTPS (not HTTP)
- Set proper environment variables
- Enable logging and monitoring
- Use the provided Dockerfile
βββ server.py # Main MCP server implementation
βββ requirements.txt # Python dependencies
βββ Dockerfile # Container configuration
βββ start_server.sh # Safe server startup script
βββ simple_test.py # Basic security testing
βββ test_client.py # MCP protocol testing
βββ security_test.py # Advanced security analysis
βββ SECURITY_TESTING.md # Detailed security documentation
βββ README.md # This file
get_current_weather(city: str) -> strGet current weather information for any city.
add(a: int, b: int) -> intAdd two numbers together.
get_secret_word() -> strGet a random secret word.
# Start server
./start_server.sh
# Stop server
pkill -f "python3 server.py"
# Check server status
ps aux | grep "python3 server.py"# Quick security check
python3 simple_test.py
# Full protocol test
python3 test_client.py- Use HTTPS: Never use HTTP in production
- Add Security Headers: Implement recommended HTTP security headers
- Monitor Logs: Set up proper logging and monitoring
- Rate Limiting: Consider implementing rate limiting
- Keep Updated: Regularly update dependencies
# Add these headers in production
"X-Content-Type-Options": "nosniff"
"X-Frame-Options": "DENY"
"X-XSS-Protection": "1; mode=block"
"Strict-Transport-Security": "max-age=31536000"| Test Category | Status | Details |
|---|---|---|
| Server Access | β Pass | Server responds correctly |
| Endpoint Security | β Pass | All undefined endpoints blocked |
| Input Validation | β Pass | Malicious inputs rejected |
| Protocol Security | β Pass | MCP protocol enforced |
| External APIs | β Pass | Weather API works securely |
| Headers | Security headers recommended |
-
"TypeError: FastMCP.init() got an unexpected keyword argument 'logger'"
- Solution
5F05
: Already fixed in this version. The server uses
log_levelinstead oflogger.
- Solution
5F05
: Already fixed in this version. The server uses
-
"No data found or available" when accessing tools via HTTP
- Cause: MCP is not a REST API
- Solution: Use proper MCP clients, not direct HTTP requests
-
SSE endpoint timeout
- Cause: Normal behavior for streaming endpoints
- Solution: Use MCP clients that handle SSE properly
- Check
SECURITY_TESTING.mdfor detailed security information - Run
python3 simple_test.pyto verify server status - Ensure virtual environment is activated
- Check server logs for detailed error information
This project is open source and available under the MIT License.
- Fork the repository
- Create a feature branch
- Run security tests:
python3 simple_test.py - Submit a pull request