From 928293d9c565af64f7476f793c5d66f6cf1f86b2 Mon Sep 17 00:00:00 2001 From: Bianca Lisle Date: Tue, 22 Jul 2025 17:07:56 +0100 Subject: [PATCH 1/5] chore: add streamable http disclaimer --- README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README.md b/README.md index 6a91e158..019d73b1 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,8 @@ A Model Context Protocol server for interacting with MongoDB Databases and MongoDB Atlas. +> **⚠️ Security Notice:** This server now supports Streamable HTTP transport for remote connections. **HTTP transport is NOT recommended for production use without implementing proper authentication and security measures.** See [Configuration](#configuration) for details. + ## 📚 Table of Contents - [🚀 Getting Started](#getting-started) @@ -412,6 +414,23 @@ You can disable telemetry using: - **Command-line argument**: `--telemetry disabled` - **DO_NOT_TRACK environment variable**: `export DO_NOT_TRACK=1` +#### Streamable HTTP Transport + +The server supports Streamable HTTP transport for remote connections. **⚠️ Security Warning:** HTTP transport is NOT recommended for production use without implementing proper authentication and security measures. + +**Required Security Measures:** +- Implement authentication (e.g., API gateway, reverse proxy) +- Use HTTPS/TLS encryption +- Deploy behind a firewall or in private networks +- Implement rate limiting +- Never expose directly to the internet + +**Configuration:** +- **Environment variables**: `export MDB_MCP_TRANSPORT=http` +- **Command-line argument**: `--transport http` + +For more details, see [MCP Security Best Practices](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations). + ### Atlas API Access To use the Atlas API tools, you'll need to create a service account in MongoDB Atlas: From fb9610614b53cd753a6b0a831fe5640fb9b19e33 Mon Sep 17 00:00:00 2001 From: Bianca Lisle Date: Tue, 22 Jul 2025 17:08:35 +0100 Subject: [PATCH 2/5] reformat --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 019d73b1..4bbb7d80 100644 --- a/README.md +++ b/README.md @@ -419,6 +419,7 @@ You can disable telemetry using: The server supports Streamable HTTP transport for remote connections. **⚠️ Security Warning:** HTTP transport is NOT recommended for production use without implementing proper authentication and security measures. **Required Security Measures:** + - Implement authentication (e.g., API gateway, reverse proxy) - Use HTTPS/TLS encryption - Deploy behind a firewall or in private networks @@ -426,6 +427,7 @@ The server supports Streamable HTTP transport for remote connections. **⚠️ S - Never expose directly to the internet **Configuration:** + - **Environment variables**: `export MDB_MCP_TRANSPORT=http` - **Command-line argument**: `--transport http` From 3e07f20cfa05f32cb8e439b0a432892b5d7583e1 Mon Sep 17 00:00:00 2001 From: Bianca Lisle Date: Tue, 22 Jul 2025 17:10:24 +0100 Subject: [PATCH 3/5] reformat --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4bbb7d80..cdc82c54 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,6 @@ A Model Context Protocol server for interacting with MongoDB Databases and MongoDB Atlas. -> **⚠️ Security Notice:** This server now supports Streamable HTTP transport for remote connections. **HTTP transport is NOT recommended for production use without implementing proper authentication and security measures.** See [Configuration](#configuration) for details. - ## 📚 Table of Contents - [🚀 Getting Started](#getting-started) @@ -416,7 +414,9 @@ You can disable telemetry using: #### Streamable HTTP Transport -The server supports Streamable HTTP transport for remote connections. **⚠️ Security Warning:** HTTP transport is NOT recommended for production use without implementing proper authentication and security measures. +> **⚠️ Security Notice:** This server now supports Streamable HTTP transport for remote connections. **HTTP transport is NOT recommended for production use without implementing proper authentication and security measures.** + +The server supports Streamable HTTP transport for remote connections. **Required Security Measures:** From bc4fa1240776639ddb8a163a1965e77e9f4f3497 Mon Sep 17 00:00:00 2001 From: Bianca Lisle Date: Tue, 22 Jul 2025 17:11:52 +0100 Subject: [PATCH 4/5] update --- README.md | 35 ++++++++++++++--------------------- 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index cdc82c54..525c3102 100644 --- a/README.md +++ b/README.md @@ -230,6 +230,20 @@ With Atlas API credentials: #### Option 6: Running as an HTTP Server +> **⚠️ Security Notice:** This server now supports Streamable HTTP transport for remote connections. **HTTP transport is NOT recommended for production use without implementing proper authentication and security measures.** + +The server supports Streamable HTTP transport for remote connections. + +**Required Security Measures:** + +- Implement authentication (e.g., API gateway, reverse proxy) +- Use HTTPS/TLS encryption +- Deploy behind a firewall or in private networks +- Implement rate limiting +- Never expose directly to the internet + +For more details, see [MCP Security Best Practices](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations). + You can run the MongoDB MCP Server as an HTTP server instead of the default stdio transport. This is useful if you want to interact with the server over HTTP, for example from a web client or to expose the server on a specific port. To start the server with HTTP transport, use the `--transport http` option: @@ -412,27 +426,6 @@ You can disable telemetry using: - **Command-line argument**: `--telemetry disabled` - **DO_NOT_TRACK environment variable**: `export DO_NOT_TRACK=1` -#### Streamable HTTP Transport - -> **⚠️ Security Notice:** This server now supports Streamable HTTP transport for remote connections. **HTTP transport is NOT recommended for production use without implementing proper authentication and security measures.** - -The server supports Streamable HTTP transport for remote connections. - -**Required Security Measures:** - -- Implement authentication (e.g., API gateway, reverse proxy) -- Use HTTPS/TLS encryption -- Deploy behind a firewall or in private networks -- Implement rate limiting -- Never expose directly to the internet - -**Configuration:** - -- **Environment variables**: `export MDB_MCP_TRANSPORT=http` -- **Command-line argument**: `--transport http` - -For more details, see [MCP Security Best Practices](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations). - ### Atlas API Access To use the Atlas API tools, you'll need to create a service account in MongoDB Atlas: From 4ea0c78ec5de633f78e783e7469517eee2d82a3e Mon Sep 17 00:00:00 2001 From: Bianca Lisle Date: Tue, 22 Jul 2025 17:13:26 +0100 Subject: [PATCH 5/5] update --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 525c3102..5b5caaa1 100644 --- a/README.md +++ b/README.md @@ -232,9 +232,7 @@ With Atlas API credentials: > **⚠️ Security Notice:** This server now supports Streamable HTTP transport for remote connections. **HTTP transport is NOT recommended for production use without implementing proper authentication and security measures.** -The server supports Streamable HTTP transport for remote connections. - -**Required Security Measures:** +**Suggested Security Measures Examples:** - Implement authentication (e.g., API gateway, reverse proxy) - Use HTTPS/TLS encryption