We at Cloudflare have aggressively adopted Mannequin Context Protocol (MCP) as a core a part of our AI technique. This shift has moved effectively past our engineering group, with workers throughout product, gross sales, advertising and marketing, and finance groups now utilizing agentic workflows to drive effectivity of their every day duties. However the adoption of agentic workflow with MCP just isn’t with out its safety dangers. These vary from authorization sprawl, immediate injection, and provide chain dangers. To safe this broad company-wide adoption, we have now built-in a collection of safety controls from each our Cloudflare One (SASE) platform and our Cloudflare Developer platform, permitting us to control AI utilization with MCP with out slowing down our workforce.
On this weblog we’ll stroll by way of our personal finest practices for securing MCP workflows, by placing totally different elements of our platform collectively to create a unified safety structure for the period of autonomous AI. We’ll additionally share two new ideas that assist enterprise MCP deployments:
We additionally discuss how our group approached deploying MCP, and the way we constructed out our MCP safety structure utilizing Cloudflare merchandise together with distant MCP servers, Cloudflare Entry, MCP server portals and AI Gateway.
Distant MCP servers present higher visibility and management
MCP is an open customary that allows builders to construct a two-way connection between AI purposes and the information sources they should entry. On this structure, the MCP consumer is the combination level with the LLM or different AI agent, and the MCP server sits between the MCP consumer and the company assets.
The separation between MCP shoppers and MCP servers permits brokers to autonomously pursue objectives and take actions whereas sustaining a transparent boundary between the AI (built-in on the MCP consumer) and the credentials and APIs of the company useful resource (built-in on the MCP server).
Our workforce at Cloudflare is continually utilizing MCP servers to entry info in varied inside assets, together with our challenge administration platform, our inside wiki, documentation and code administration platforms, and extra.
Very early on, we realized that locally-hosted MCP servers had been a safety legal responsibility. Native MCP server deployments could depend on unvetted software program sources and variations, which will increase the chance of provide chain assaults or device injection assaults. They stop IT and safety directors from administrating these servers, leaving it as much as particular person workers and builders to decide on which MCP servers they wish to run and the way they wish to preserve them updated. This can be a shedding recreation.
As a substitute, we have now a centralized crew at Cloudflare that manages our MCP server deployment throughout the enterprise. This crew constructed a shared MCP platform inside our monorepo that gives ruled infrastructure out of the field. When an worker needs to show an inside useful resource by way of MCP, they first get approval from our AI governance crew, after which they copy a template, write their device definitions, and deploy, all of the whereas inheriting default-deny write controls with audit logging, auto-generated CI/CD pipelines, and secrets and techniques administration at no cost. This implies standing up a brand new ruled MCP server is minutes of scaffolding. The governance is baked into the platform itself, which is what allowed adoption to unfold so shortly.
Our CI/CD pipeline deploys them as distant MCP servers on customized domains on Cloudflare’s developer platform. This offers us visibility into which MCPs servers are being utilized by our workers, whereas sustaining management over software program sources. As an added bonus, each distant MCP server on the Cloudflare developer platform is mechanically deployed throughout our world community of knowledge facilities, so MCP servers might be accessed by our workers with low latency, no matter the place they is likely to be on the earth.
Cloudflare Entry gives authentication
A few of our MCP servers sit in entrance of public assets, like our Cloudflare documentation MCP server or Cloudflare Radar MCP server, and thus we would like them to be accessible to anybody. However most of the MCP servers utilized by our workforce are sitting in entrance of our non-public company assets. These MCP servers require consumer authentication to make sure that they’re off limits to everybody however approved Cloudflare workers. To attain this, our monorepo template for MCP servers integrates Cloudflare Entry because the OAuth supplier. Cloudflare Entry secures login flows and points entry tokens to assets, whereas appearing as an identification aggregator that verifies finish consumer single-sign on (SSO), multifactor authentication (MFA), and quite a lot of contextual attributes reminiscent of IP addresses, location, or gadget certificates.
MCP server portals centralize discovery and governance
MCP server portals unify governance and management for all AI exercise.
Because the variety of our distant MCP servers grew, we hit a brand new wall: discovery. We needed to make it straightforward for each worker (particularly these which are new to MCP) to seek out and work with all of the MCP servers which are out there to them. Our MCP server portals product supplied a handy answer. The worker merely connects their MCP consumer to the MCP server portal, and the portal instantly reveals each inside and third-party MCP servers they’re approved to make use of.
Past this, our MCP server portals present centralized logging, constant coverage enforcement and information loss prevention (DLP guardrails). Our directors can see who logged into what MCP portal and create DLP guidelines that stop sure information, like personally identifiable information (PII), from being shared with sure MCP servers.
We will additionally create insurance policies that management who has entry to the portal itself, and what instruments from every MCP server ought to be uncovered. For instance, we may arrange one MCP server portal that’s solely accessible to workers which are a part of our finance group that exposes simply the read-only instruments for the MCP server in entrance of our inside code repository. In the meantime, a special MCP server portal, accessible solely to workers on their company laptops which are in our engineering crew, may expose extra highly effective learn/write instruments to our code repository MCP server.
An outline of our MCP server portal structure is proven above. The portal helps each distant MCP servers hosted on Cloudflare, and third-party MCP servers hosted wherever else. What makes this structure uniquely performant is that each one these safety and networking elements run on the identical bodily machine inside our world community. When an worker’s request strikes by way of the MCP server portal, a Cloudflare-hosted distant MCP server, and Cloudflare Entry, their visitors by no means wants to go away the identical bodily machine.
Code Mode with MCP server portals reduces prices
After months of high-volume MCP deployments, we’ve paid out our justifiable share of tokens. We’ve additionally began to suppose most individuals are doing MCP incorrect.
The usual method to MCP requires defining a separate device for each API operation that’s uncovered by way of an MCP server. However this static and exhaustive method shortly exhausts an agent’s context window, particularly for giant platforms with hundreds of endpoints.
We beforehand wrote about how we used server-side Code Mode to energy Cloudflare’s MCP server, permitting us to show the hundreds of end-points in Cloudflare API whereas lowering token use by 99.9%. The Cloudflare MCP server exposes simply two instruments: a search device lets the mannequin write JavaScript to discover what’s out there, and an execute device lets it write JavaScript to name the instruments it finds. The mannequin discovers what it wants on demand, reasonably than receiving every thing upfront.
We like this sample a lot, we needed to make it out there for everybody. So we have now now launched the power to make use of the “Code Mode” sample with MCP server portals. Now you’ll be able to entrance all your MCP servers with a centralized portal that performs audit controls and progressive device disclosure, to be able to scale back token prices.
Right here is the way it works. As a substitute of exposing each device definition to a consumer, all your underlying MCP servers collapse into simply two MCP portal instruments: portal_codemode_search and portal_codemode_execute. The search device offers the mannequin entry to a codemode.instruments() operate that returns all of the device definitions from each linked upstream MCP server. The mannequin then writes JavaScript to filter and discover these definitions, discovering precisely the instruments it wants with out each schema being loaded into context. The execute device gives a codemode proxy object the place every upstream device is offered as a callable operate. The mannequin writes JavaScript that calls these instruments immediately, chaining a number of operations, filtering outcomes, and dealing with errors in code. All of this runs in a sandboxed surroundings on the MCP server portal powered by Dynamic Employees.
Right here is an instance of an agent that should discover a Jira ticket and replace it with info from Google Drive. It first searches for the appropriate instruments:
// portal_codemode_search
async () => {
const instruments = await codemode.instruments();
return instruments
.filter(t => t.title.consists of("jira") || t.title.consists of("drive"))
.map(t => ({ title: t.title, params: Object.keys(t.inputSchema.properties || {}) }));
}
The mannequin now is aware of the precise device names and parameters it wants, with out the total schemas of instruments ever coming into its context. It then writes a single execute name to chain the operations collectively:
// portal_codemode_execute
async () => {
const tickets = await codemode.jira_search_jira_with_jql({
jql: ‘project = BLOG AND status = “In Progress”’,
fields: [“summary”, “description”]
});
const doc = await codemode.google_workspace_drive_get_content({
fileId: “1aBcDeFgHiJk”
});
await codemode.jira_update_jira_ticket({
issueKey: tickets[0].key,
fields: { description: tickets[0].description + “nn” + doc.content material }
});
return { up to date: tickets[0].key };
}
That is simply two device calls. The primary discovers what’s out there, the second does the work. With out Code Mode, this similar workflow would have required the mannequin to obtain the total schemas of each device from each MCP servers upfront, after which make three separate device invocations.
Let’s put the financial savings in perspective: when our inside MCP server portal is linked to simply 4 of our inside MCP servers, it exposes 52 instruments that eat roughly 9,400 tokens of context only for their definitions. With Code Mode enabled, these 52 instruments collapse into 2 portal instruments consuming roughly 600 tokens, a 94% discount. And critically, this price stays mounted. As we join extra MCP servers to the portal, the token price of Code Mode doesn’t develop.
Code Mode might be activated on an MCP server portal by including a question parameter to the URL. As a substitute of connecting to your portal over its ordinary URL (e.g. https://myportal.example.com/mcp), you connect ?codemode=search_and_execute to the URL (e.g. https://myportal.example.com/mcp?codemode=search_and_execute).
AI Gateway gives extensibility and value controls
We aren’t executed but. We plug AI Gateway into our structure by positioning it on the connection between the MCP consumer and the LLM. This enables us to shortly swap between varied LLM suppliers (to stop vendor lock-in) and to implement price controls (by limiting the variety of tokens every worker can burn by way of). The complete structure is proven under.
Cloudflare Gateway discovers and blocks shadow MCP
Now that we’ve supplied ruled entry to approved MCP servers, let’s look into coping with unauthorized MCP servers. We will carry out shadow MCP discovery utilizing Cloudflare Gateway. Cloudflare Gateway is our complete safe net gateway that gives enterprise safety groups with visibility and management over their workers’ Web visitors.
We will use the Cloudflare Gateway API to carry out a multi-layer scan to seek out distant MCP servers that aren’t being accessed by way of an MCP server portal. That is attainable utilizing quite a lot of present Gateway and Knowledge Loss Prevention (DLP) selectors, together with:
Utilizing the Gateway
httpHostselector to scan foridentified MCP server hostnames utilizing (like mcp.stripe.com)
mcp.* subdomains utilizing wildcard hostname patterns
Utilizing the Gateway
httpRequestURIselector to scan for MCP-specific URL paths like /mcp and /mcp/sseUtilizing DLP-based physique inspection to seek out MCP visitors, even when that visitors makes use of URI that don’t include the telltale mentions of
mcporsse. Particularly, we use the truth that MCP makes use of JSON-RPC over HTTP, which suggests each request incorporates a “method” subject with values like “tools/call”, “prompts/get”, or “initialize.” Listed below are some regex guidelines that can be utilized to detect MCP visitors within the HTTP physique:
const DLP_REGEX_PATTERNS = [
{
name: "MCP Initialize Method",
regex: '"method"s{0,5}:s{0,5}"initialize"',
},
{
name: "MCP Tools Call",
regex: '"method"s{0,5}:s{0,5}"tools/call"',
},
{
name: "MCP Tools List",
regex: '"method"s{0,5}:s{0,5}"tools/list"',
},
{
name: "MCP Resources Read",
regex: '"method"s{0,5}:s{0,5}"resources/read"',
},
{
name: "MCP Resources List",
regex: '"method"s{0,5}:s{0,5}"resources/list"',
},
{
name: "MCP Prompts List",
regex: '"method"s{0,5}:s{0,5}"prompts/(list|get)"',
},
{
name: "MCP Sampling Create Message",
regex: '"method"s{0,5}:s{0,5}"sampling/createMessage"',
},
{
name: "MCP Protocol Version",
regex: '"protocolVersion"s{0,5}:s{0,5}"202[4-9]',
},
{
title: "MCP Notifications Initialized",
regex: '"method"s{0,5}:s{0,5}"notifications/initialized"',
},
{
title: "MCP Roots List",
regex: '"method"s{0,5}:s{0,5}"roots/list"',
},
];
The Gateway API helps further automation. For instance, one can use the customized DLP profile we outlined above to dam visitors, or redirect it, or simply to log and examine MCP payloads. Put this collectively, and Gateway can be utilized to supply complete detection of unauthorized distant MCP servers accessed by way of an enterprise community.
For extra info on how one can construct this out, see this tutorial.
Public-facing MCP Servers are protected with AI Safety for Apps
To this point, we’ve been targeted on defending our workforce’s entry to our inside MCP servers. However, like many different organizations, we even have public-facing MCP servers that our prospects can use to agentically administer and function Cloudflare merchandise. These MCP servers are hosted on Cloudflare’s developer platform. (You’ll find a listing of particular person MCPs for particular merchandise right here, or refer again to our new method for offering extra environment friendly entry to the whole Cloudflare API utilizing Code Mode.)
We consider that each group ought to publish official, first-party MCP servers for his or her merchandise. The choice is that your prospects supply unvetted servers from public repositories the place packages could include harmful belief assumptions, undisclosed information assortment, and any vary of unsanctioned behaviors. By publishing your personal MCP servers, you management the code, replace cadence, and safety posture of the instruments your prospects use.
Since each distant MCP server is an HTTP endpoint, we will put it behind the Cloudflare Internet Utility Firewall (WAF). Prospects can allow the AI Safety for Apps function throughout the WAF to mechanically examine inbound MCP visitors for immediate injection makes an attempt, delicate information leakage, and subject classification. Public dealing with MCPs are protected simply as another net API.
The way forward for MCP within the enterprise
We hope our expertise, merchandise, and reference architectures can be helpful to different organizations as they proceed alongside their very own journey in the direction of broad enterprise-wide adoption of MCP.
We’ve secured our personal MCP workflows by:
Providing our builders a templated framework for constructing and deploying distant MCP servers on our developer platform utilizing Cloudflare Entry for authentication
Making certain safe, identity-based entry to approved MCP servers by connecting our total workforce to MCP server portals
Controlling prices utilizing AI Gateway to mediate entry to the LLMs powering our workforce’s MCP shoppers, and utilizing Code Mode in MCP server portals to cut back token consumption and context bloat
Discovering shadow MCP utilization by Cloudflare Gateway
For organizations advancing on their very own enterprise MCP journeys, we suggest beginning by placing your present distant and third-party MCP servers behind Cloudflare MCP server portals and enabling Code Mode to start out benefitting for cheaper, safer and less complicated enterprise deployments of MCP.
Acknowledgements: This reference structure and weblog represents this work of many individuals throughout many various roles and enterprise items at Cloudflare. That is only a partial record of contributors: Ann Ming Samborski, Kate Reznykova, Mike Nomitch, James Royal, Liam Reese, Yumna Moazzam, Simon Thorpe, Rian van der Merwe, Rajesh Bhatia, Ayush Thakur, Gonzalo Chavarri, Maddy Onyehara, and Haley Campbell.
