MCP tunnels security

The tunnel architecture provides strong defaults (outbound-only connectivity, end-to-end encryption, and IP validation), but the overall security of your deployment also depends on how you configure and operate it. This page covers recommended hardening, breach response, and how to decommission a tunnel.

Best practices

• Require OAuth on every MCP server. Configure each upstream server to require OAuth as described in the MCP authorization spec. OAuth provides defense in depth on top of the tunnel's transport authentication and enables user-level authorization at the data layer.
• Enable SSO for your organization. Tunnels, federation rules, and service accounts are managed in the Claude Console. SSO enforces your identity provider's session controls on the admins who can change them.
• Restrict upstream.allowed_ips. Use the smallest CIDR ranges that cover your MCP servers. This is the proxy's primary SSRF defense.
• Monitor logs. Alert on warnings, errors, and unusual traffic patterns from the tunnel stack.
• Rotate credentials. Rotate the server certificate and tunnel token on a regular schedule, and immediately if you suspect compromise.
• Keep images updated. Track new proxy releases and pin images by SHA-256 digest.
• Limit network reach. The proxy and cloudflared should only be able to reach the destinations listed in the network requirements. Use NetworkPolicy (Kubernetes) or host firewall rules (Compose).
• Limit MCP server scope. Each server should expose only the tools and data required for its purpose.
• Protect credentials at rest. Apply your organization's secrets-management practices to private keys and tunnel tokens.

Respond to a suspected breach

If you believe your tunnel token, TLS keys, or proxy host has been compromised:

Tear down a tunnel

Follow these steps to decommission a tunnel and remove all stored credentials.