MCP Hub
Back to servers

mcp-guard

An HTTP proxy that secures MCP servers by intercepting tool calls and blocking requests based on configurable keyword patterns. It provides a simple way to prevent destructive operations on upstream servers like databases through a JSON-based gate system.

glama
APIs & ServicesData & AnalyticsDatabasesDevelopment Tools
Stars
2
Updated
Feb 27, 2026
Validated
Mar 1, 2026
View Source
Claim this server
CleanShot 2026-02-27 at 13 39 30@2x

mcp-guard

A simple HTTP proxy that gates MCP servers with block rules.

No SDKs. No dashboards. Just a JSON config and a toggle command.

Client (Claude, Cursor, etc.)
    ↕ http
mcp-guard (localhost proxy)
    ↕ http
Upstream MCP server (supabase, postgres, etc.)

Quick Start

1. Install

npm install -g @alramalho/mcp-guard

Or from source:

git clone https://github.com/alramalho/mcp-guard
cd mcp-guard
pnpm install && pnpm build && npm link --force

2. Create .mcp-guard.json

In your project root (or ~/.mcp-guard.json globally). Config is auto-discovered by walking up from cwd.

{
  "port": 6427,
  "servers": {
    "supabase_production": {
      "url": "https://mcp.supabase.com/mcp?project_ref=xxx&read_only=true",
      "block": ["DELETE", "UPDATE", "DROP", "TRUNCATE", "ALTER", "INSERT"],
      "blockMessage": "Destructive SQL operations are not allowed in production"
    }
  }
}

3. Update your mcp.json

Replace the direct upstream URL with the mcp-guard proxy:

{
  "mcpServers": {
    "supabase_production": {
      "type": "http",
      "url": "http://localhost:6427/supabase_production"
    }
  }
}

4. Toggle on/off

$ mcp-guard
MCP Guard on → http://localhost:6427

$ mcp-guard
MCP Guard off

Debug mode

Run in foreground to see all tool calls and block decisions live:

$ mcp-guard -d

Config

.mcp-guard.json (auto-discovered from cwd up, or ~/.mcp-guard.json, or --config <path>):

FieldTypeDefaultDescription
portnumber6427Port for the local HTTP proxy
serversobjectMap of gate name → server config

Each server:

FieldTypeDescription
urlstringUpstream MCP server URL
enabledbooleanSet to false to passthrough without blocking
blockstring[]Patterns to block (case-insensitive substring match)
blockMessagestringError message returned when blocked

How It Works

  1. mcp-guard starts a local HTTP server
  2. When a client connects to http://localhost:PORT/<gate_name>, it connects to the upstream MCP server
  3. It discovers all upstream tools and re-exposes them
  4. On each tool call, all argument values are checked against block patterns
  5. If any pattern matches → error returned, call never reaches upstream
  6. If no match → call is forwarded to upstream as-is

License

MIT

Reviews

No reviews yet

Sign in to write a review