Security Considerations

To ensure secure usage of the Database Tools MCP Server, follow these best practices:

Network Security

• Access MCP Server endpoints only over HTTPS.
• Ensure MCP clients can securely reach MCP Server and IAM OAuth endpoints.
• When using private databases, configure network security groups and private endpoints to restrict access to trusted sources.

Credential and Secret Management

• Store database credentials securely using OCI Vault when using password-based authentication.
• Use resource principals or token-based authentication where possible to avoid managing long-lived credentials.
• Do not embed credentials directly in client configurations or code.

Token and Session Management

• Use short-lived OAuth access tokens to reduce exposure risk.
• Configure appropriate token expiration durations based on usage patterns.
• Reauthenticate users when tokens expire or are invalid.

Least Privilege Access

• Assign IAM application roles (such as MCP_User, MCP_Operator) based on user responsibilities.
• Restrict access to MCP Toolsets and SQL Reports using role-based controls.
• Limit database user privileges to only the operations required by MCP Tools.

Tool and SQL Execution

• Prefer predefined and parameterized SQL (custom tools and SQL reports) over unrestricted ad-hoc SQL execution.
• Validate and review SQL and PL/SQL scripts used in MCP Toolsets to prevent unintended data access or modification.
• Clearly define Tool descriptions and parameters to guide correct usage by MCP clients and LLMs.