Configuration & Environment
MCP server exposes POST/PUT/DELETE/PATCH routes without CSRF middleware — a malicious site can trigger state changes through the user's authenticated browser session.
CSRF (Cross-Site Request Forgery) lets a third-party page trick the user's browser into sending a state-changing request to a domain where the user is logged in. Browsers send cookies automatically, so the request looks authentic from the server's perspective. The defense is to require an unguessable token (CSRF token, double-submit cookie, or `SameSite=Strict` cookies) that a cross-site request can't forge.
Hosted MCP servers with web admin surfaces are the natural target. A user logs in, goes about their day, then visits an unrelated page that issues a `POST /admin/destroy_all_keys` to the MCP server's domain. Cookies ride along, the server processes the request, the user has no idea.
import express from "express"; |
const app = express(); |
app.post("/admin/delete_user", (req, res) => { |
// No CSRF token check — accepts cross-site POSTs. |
deleteUser(req.body.userId); |
res.sendStatus(204); |
}); |
import express from "express"; |
import csrf from "csurf"; |
const app = express(); |
const csrfProtection = csrf({ cookie: { httpOnly: true, secure: true, sameSite: "strict" } }); |
app.post("/admin/delete_user", csrfProtection, (req, res) => { |
deleteUser(req.body.userId); |
res.sendStatus(204); |
}); |
MCPSafe flags state-changing route handlers (POST/PUT/PATCH/DELETE) when no CSRF middleware is detected file-wide (`csurf`, `csrf-csrf`, `lusca.csrf()`, `flask_wtf.csrf.CSRFProtect`, `fastapi-csrf-protect`, etc.) and no `X-CSRF-Token` / `SameSite=Strict` cookie pattern is present.
See the full threat catalog for every documented detection.
MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.
Scan now