Security Overview
MCP-Go-MSSQL implements multiple security layers to protect databases in production environments.
Security features
Section titled “Security features”Database security
Section titled “Database security”- Mandatory TLS encryption for all connections in production
- SQL Injection protection with exclusive prepared statements
- Connection pooling with limits to prevent resource exhaustion
- Configurable connection timeouts
Application security
Section titled “Application security”- Secure logging with automatic sanitization of sensitive data
- Secure error handling — generic messages to the client, details in internal logs
- Input validation with query size limits
- Multi-table validation — detects unauthorized access via JOINs/subqueries
Access control
Section titled “Access control”- Read-only mode — blocks INSERT/UPDATE/DELETE
- Table whitelist — granular control over modifiable tables
- Role-based configuration — different configs for different environments
Authentication
Section titled “Authentication”- Multiple methods — SQL Server, Windows Integrated (SSPI), custom connection strings
- Dev/prod modes — different levels of TLS strictness
- Environment variables — credentials never in source code
- Configuration templates —
.env.examplewith secure defaults
Compliance
Section titled “Compliance”- OWASP Top 10 (2021)
- CWE Top 25 (2024)
- NIST Cybersecurity Framework
- Go database best practices
Best practices
Section titled “Best practices”- Use environment variables for all credentials
- Create a separate database for testing
- Set restrictive permissions (600) on
.envfiles - Enable read-only mode for AI access
- Monitor security logs regularly
- Keep dependencies up to date
- Hardcode credentials in source code
- Use the production database for testing
- Commit
.envorconfig.jsonto Git - Deploy with
DEVELOPER_MODE=truein production - Disable TLS/encryption
- Log sensitive data