72% of Remote MCP Servers Accept Unauthenticated Requests
We scanned 1,321 remote MCP server endpoints and graded 1,192 of them on security. 71.7% require no authentication—anyone on the internet can connect and invoke every tool. 86% are missing a Content-Security-Policy header. The most common grade is D.
These are not obscure hobby projects. They are listed on Smithery, the MCP Registry, and npm. If you have connected an MCP server to Claude or Cursor in the past six months, there is a reasonable chance it is in this dataset.
Grade Distribution
Of the 1,192 remote MCP servers we graded:
| Grade | Count | Percent | What it means |
|---|---|---|---|
| A | 33 | 2.8% | Strong security posture across all checks |
| B | 379 | 31.8% | Minor issues, generally well-configured |
| C | 346 | 29.0% | Multiple missing protections |
| D | 433 | 36.3% | Significant security gaps |
| F | 1 | 0.1% | Critical failures |
D is the single most common grade, assigned to more than a third of all servers. Fewer than 3% scored an A. The average score across all graded remote endpoints is 60.8 out of 100.
What We Found
Each server was checked across several categories. These numbers represent the latest scan for each of the 1,321 remote endpoints.
Authentication
This means anyone who knows the endpoint URL can connect and call any tool the server exposes. For MCP servers, tools can include file operations, database queries, API calls, and code execution. No authentication means no access control, no audit trail, and no way to revoke access.
The MCP specification added an authorization framework (OAuth 2.1-based) in March 2025. Many of the servers in this dataset predate that addition or were built from templates and tutorials that did not include it.
Security Headers
The numbers here are stark:
| Header | Missing | Percent |
|---|---|---|
| Content-Security-Policy | 1,136 | 86.0% |
| X-Frame-Options | 1,079 | 81.7% |
| X-Content-Type-Options | 1,038 | 78.6% |
| Strict-Transport-Security (HSTS) | 963 | 72.9% |
89.5% of servers are missing at least one of CSP, HSTS, or X-Frame-Options. These headers are not difficult to add. Most web frameworks include middleware that sets them in a single line of configuration. Their absence suggests that many MCP server authors are not thinking about HTTP-level security at all, which is consistent with the MCP ecosystem's origins in local stdio-based tools that were never designed for network exposure.
CORS Configuration
Access-Control-Allow-Origin: *).
A CORS wildcard means any website can make authenticated cross-origin requests to the server. If a user visits a malicious page while their browser has credentials for an MCP server, that page can silently invoke the server's tools. This is the browser-equivalent of leaving your front door open.
Admin Exposure and Credentials
17.2% of servers (227 of 1,321) expose administrative endpoints to the public internet. These include management interfaces, configuration panels, and debug endpoints that should never be reachable outside a private network.
Three servers (0.2%) were found leaking credentials—API keys or tokens visible in HTTP responses.
HTTPS
99.7% of servers do use HTTPS, which is the one bright spot. Only 4 of 1,321 endpoints were served over plain HTTP. Credit where it is due.
What This Means
If you use MCP servers with Claude, Cursor, or another AI client: Check whether the servers you have connected are in this dataset. Search by name or URL at agentgrade.net. If your server scored below a B, consider whether the tools it exposes warrant tighter access control.
If you are building an MCP server: The minimum security bar for a server exposed to the
internet should include authentication (the MCP spec now supports OAuth 2.1), security headers (one
middleware call in most frameworks), and restrictive CORS (list specific origins, not *).
None of this is novel web security. It is the same baseline we expect from any HTTP API.
If you run a registry that lists MCP servers: You are curating a directory of services that developers connect to AI agents with broad capabilities. An entry in your registry is an implicit endorsement. Consider whether security posture should factor into listing criteria.
Methodology
Sources: We crawled the MCP Registry, Smithery, and npm for packages advertising MCP server functionality. We identified 23,276 total records, of which 1,321 had live remote HTTP or SSE endpoints.
What "remote" means: These are servers accessible over the internet via HTTP or Server-Sent Events. We excluded stdio-based servers (which run locally and have a fundamentally different threat model) and registry pages without scannable endpoints.
Scanning: For each reachable endpoint, we performed 14 automated checks covering authentication, HTTPS, security headers, CORS policy, admin endpoint exposure, credential leakage, server header disclosure, error information leakage, open redirects, and directory listing. Scans were non-intrusive—we did not attempt exploitation, injection, or authentication bypass.
Grading: Each check contributes to a 100-point score, which maps to a letter grade. The grading methodology is documented at agentgrade.net/watch/methodology.
Limitations: This is a point-in-time snapshot. Four of our 14 checks (server header leak, error leak, open redirect, directory listing) returned zero findings across all servers, which may indicate those checks need calibration rather than that zero servers have those issues. A grade measures observable security posture from the outside—it does not assess code quality, runtime behavior, or whether a vulnerability is actively exploitable.
The Data
The full dataset is free and searchable at agentgrade.net. Look up any MCP server by name, see its grade, and drill into the individual check results.
We built AgentGrade because we wanted a public, freely accessible answer to the question "is this MCP server safe to connect to?" The data shown here comes from 1,321 real endpoints. We plan to run scans continuously and expand coverage as the ecosystem grows.
What should the minimum security bar be for MCP servers listed in public registries?