Secure Server Template
БесплатноНе проверенProvides secure, read-only database queries, HTTP GET requests with anti-SSRF protection, and file reading within a restricted directory.
Описание
Provides secure, read-only database queries, HTTP GET requests with anti-SSRF protection, and file reading within a restricted directory.
README
A minimal, correct, and security-first Model Context Protocol (MCP) server in Python. It exposes three example tools to any MCP client (Claude Desktop, Claude Code, etc.) — each one shipped with the security guard it actually needs.
Most "MCP server" tutorials show you how to expose a tool. They skip the part that matters once a model has real hands on your database, network, and disk. This template is built around that gap: how to give an LLM capabilities without opening a hole.
LLM client ──MCP──> this server ──> [ PostgreSQL | HTTP | filesystem ]
│
└── every tool passes through guards.py (tested)
What is MCP, in one paragraph
MCP is an open protocol that lets an AI client call external "tools" (functions) and read "resources" through a standard interface. You run a small server that declares tools; the client (Claude Desktop, Claude Code, …) discovers them and the model calls them during a conversation. It's the clean way to give a model access to your data and actions instead of pasting everything into the prompt.
Tools
| Tool | What it does | Guard |
|---|---|---|
db_query(sql) |
Run a read-only SQL query against DATABASE_URL, returns rows as JSON |
SELECT/WITH only and a real READ ONLY Postgres session |
http_get(url) |
HTTP GET, returns the body as text | http/https only + host allowlist, deny-by-default (anti-SSRF) |
read_file(path) |
Read a text file under MCP_FILES_ROOT |
Path resolved inside the root, blocks ../ traversal & absolute paths |
Security design (the point of this template)
db_querycan't write. Two layers: a static check (is_safe_select— rejects writes, DDL, and stacked;statements) and the connection is openedREAD ONLY, so even a clever bypass can't mutate data.http_getcan't be turned into an SSRF. Onlyhttp(s), and the host must be inMCP_URL_ALLOWLIST. Empty allowlist = nothing allowed (deny-by-default), so a misconfigured server isn't an open proxy.read_filecan't escape its root. Paths are resolved and checked to live insideMCP_FILES_ROOT;../, absolute paths, and symlink escapes raise.
All three guards live in guards.py (zero dependencies) and are covered by tests/test_guards.py, so they run without even installing MCP.
Quickstart
git clone <this repo> && cd mcp-server-template
python -m venv .venv && . .venv/Scripts/activate # (Linux/mac: . .venv/bin/activate)
pip install -e . # add: pip install -e ".[db]" for PostgreSQL
cp .env.example .env # edit with your values
python server.py # runs over stdio
Use it from Claude Desktop
Add to your claude_desktop_config.json (see claude_desktop_config.example.json):
{
"mcpServers": {
"atelier-template": {
"command": "python",
"args": ["/absolute/path/to/server.py"],
"env": { "MCP_URL_ALLOWLIST": "api.github.com", "MCP_FILES_ROOT": "/safe/dir" }
}
}
}
Restart Claude Desktop; the three tools appear. (For Claude Code: claude mcp add atelier-template -- python /abs/path/server.py.)
Add your own tool (the 5-line version)
@mcp.tool()
def word_count(text: str) -> str:
"""Count words in a string.""" # <- this docstring is what the model reads
return str(len(text.split()))
That's the whole loop: decorate a function, write a clear docstring (the model uses it to decide when/how to call), return a string. If the tool touches data/network/disk, add a guard — that's the habit this template is trying to teach.
Layout
server.py # the MCP server + 3 example tools
guards.py # pure, dependency-free security helpers (tested)
tests/ # pytest for the guards (run without mcp installed)
.env.example # configuration
Tests
pip install pytest && pytest -q
License
MIT © 2026 Eduardo Pérez Ignacio
Установка Secure Server Template
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/EduardoDknight/mcp-server-templateFAQ
Secure Server Template MCP бесплатный?
Да, Secure Server Template MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Secure Server Template?
Нет, Secure Server Template работает без API-ключей и переменных окружения.
Secure Server Template — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Secure Server Template в Claude Desktop, Claude Code или Cursor?
Открой Secure Server Template на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
wenb1n-dev/SmartDB_MCP
A universal database MCP server supporting simultaneous connections to multiple databases. It provides tools for database operations, health analysis, SQL optim
автор: wenb1n-devPostgres Server
This server enables interaction with PostgreSQL databases through the Model Context Protocol, optimized for the AWS Bedrock AgentCore Runtime. It provides tools
автор: madhurprashPostgres
Query your database in natural language
автор: AnthropicPostgreSQL
Read-only database access with schema inspection.
автор: modelcontextprotocolCompare Secure Server Template with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории data
