John Lancaster
4.1 KiB
icon
| icon |
|---|
| lucide/shield-check |
Securing Remote Access
Context
This project exposes two related surfaces from the same runtime:
- a static documentation site under
/docs - a Streamable HTTP MCP endpoint under
/mcp
The same Markdown content backs both surfaces. For the current project shape, the MCP server is resource-first and primarily exposes public skill and documentation text. It is not intended to expose secrets, private data, shell access, filesystem access, or tools with side effects.
The expected deployment path is:
Public internet
-> Cloudflare Tunnel
-> Caddy
-> personal-mcp container
Decision
For the current use case, heavy application-level authentication is not required.
The recommended posture is:
- Keep the service behind Cloudflare Tunnel and Caddy.
- Do not expose the container port directly to the public internet.
- Treat everything exposed through MCP as publishable public documentation.
- Add stronger authentication only if the MCP surface later includes sensitive content or tools with meaningful side effects.
This keeps the deployment simple while preserving a clear upgrade path.
Tradeoffs
Leaving /mcp Public
This is acceptable if /mcp exposes only the same public Markdown already available through /docs.
Benefits:
- lowest operational friction
- fewer compatibility issues with MCP clients
- no need to implement OAuth, mTLS, JWT validation, or custom auth middleware
- consistent with the project assumption that documentation content is public
Risks:
- random scraping, probing, or fuzzing of a machine endpoint
- possible bandwidth or CPU nuisance traffic
- accidental future exposure if new tools or private resources are added
- less control over who can use the MCP endpoint
Protecting /mcp With Cloudflare Access
Cloudflare Access can add a lightweight gate using GitHub, Google, one-time PIN, or service tokens.
Benefits:
- reduces random internet traffic
- requires little app code
- works well for a small trusted team
- provides logs and centralized access control
Costs:
- browser-based login may not work with all MCP clients
- non-browser MCP clients may need Cloudflare Access service tokens
- adds operational configuration for a low-sensitivity endpoint
Using mTLS
mTLS is useful when both client and server environments are tightly controlled.
Benefits:
- strong client identity
- good fit for service-to-service or private infrastructure
- can be used between Cloudflare, Caddy, and the backend if desired
Costs:
- harder certificate provisioning and rotation
- weaker compatibility with normal MCP clients
- unnecessary for public documentation-only content
For this project, mTLS is not the primary recommendation.
Practical Recommendation
Use a simple public-docs posture unless the endpoint changes.
Recommended current setup:
/docs public
/mcp public or lightly protected
If /mcp remains public, add only basic operational safeguards:
- keep Cloudflare Tunnel and Caddy in front
- avoid publishing
8765directly - enable Cloudflare or Caddy rate limiting if traffic becomes noisy
- monitor logs for unusual request volume
- document that MCP resources must remain safe to publish
A slightly stricter setup is also reasonable:
/docs public
/mcp Cloudflare Access or service token
This is the best option if the team wants to reduce drive-by MCP traffic without adding auth code to the application.
Upgrade Trigger
Add real authentication before introducing any MCP capability that can:
- read non-public files
- access private notes or credentials
- call upstream APIs
- mutate data
- run commands
- expose environment details
- perform expensive computation
At that point, prefer edge-level authentication first, such as Cloudflare Access, and consider proper OAuth 2.1 resource-server behavior only if broad public MCP client interoperability becomes a goal.
Security Invariant
Everything exposed by the MCP server must be safe to publish publicly.
If that invariant stops being true, /mcp should be protected before the new capability is deployed.