Understanding MCP Policies
Overview
Policy Categories
1. Connection Control Policies
2. Tool Execution Policies
3. Resource Access Policies
4. Prompt Execution Policies
5. Built-in MCP request/response message audit policies
MCP Protection Policies – Use Cases
Prerequisites:
MCP Connection Control
Deny Client Connection to stdio Server
Policy Configuration
Running MCP Client with MCP stdio Server
Expected Behavior
Policy Configuration
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
Deny stdio with Exception
Policy Configuration
Running MCP Client with MCP stdio Server
Expected Behavior
Deny Client Connection to HTTP Server
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
Deny HTTP Server with Exception
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Deny any mcp server connection without authentication
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
MCP Tool Execution Control
Tool Overwrite - Denied tools are excluded from the tool/list
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
Deny Specific Tool from Specific MCP Server
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
Tool Argument Pattern Detection
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
Tool Response Pattern Detection
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
MCP Resource Access Control
Deny Specific Resource
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
MCP Prompt Execution Control
Deny Specific Prompt
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
Prompt Argument Pattern Detection
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
Prompt Response Pattern Detection
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Result
OTEL Violation (Observe)
OTEL Violation (Enforce)
Message Size Violation
Policy Configuration
Running MCP Client with MCP HTTP Server
Expected Behavior
Mode
Behavior
OTEL Violation (Observe)
Summary
Mode
Behavior
Last updated