Enforce security best practices before deployment
- Last Updated: May 8, 2026
- 1 minute read
- OpenEdge
- Version 13.0
- Documentation
After you have set up and validated the OpenEdge MCP Server in your development environment,
the next step is to secure and harden your deployment before moving to production.
Securing your OpenEdge MCP Server is essential to protect sensitive data, ensure
compliance, and maintain operational integrity. This section outlines the critical
security controls you must enforce before deploying to production. Follow each step in
the checklist to harden your environment and meet organizational and industry standards.
For detailed steps and configuration examples, refer to the references provided.
| Step | Action | Purpose | References |
|---|---|---|---|
| 1 | Enable TLS or mTLS | Enabling TLS or mTLS ensures that all network traffic is encrypted and that both client and server identities are verified. Production environments must never allow plain text communication. | |
| 2 | Configure service account authentication | Configuring service account authentication restricts access to authorized clients by requiring JWT tokens for every request. | |
| 3 | Define and enforce scopes | Defining and enforcing scopes limits access to tools based on user roles and functions, following the principle of least privilege. | |
| 4 | Rotate keys and tokens regularly | Rotating keys and tokens on a regular schedule helps prevent credential misuse and supports compliance with security policies. | |
| 5 | Vault secrets securely | Vaulting secrets ensures that private keys and tokens are protected from unauthorized access and accidental leakage. | |
| 6 | Harden runtime guardrails | Hardening runtime guardrails limits the size of responses and disables unsafe operations to reduce the risk of abuse. | |
| 7 | Restrict write routes | Restricting write routes minimizes risk by disabling unnecessary write operations in the production environment. | |
| 8 | Sanitize logs | Sanitizing logs prevents sensitive data from being exposed in log files by redacting confidential fields and disabling verbose payload logging. | |
| 9 | Pin Docker image digests | Pinning Docker image digests locks your deployment to known, secure versions and prevents supply chain tampering. | |
| 10 | Validate authentication headers | Validating authentication headers ensures that all clients use the correct headers for secure access to the MCP Server. | |
| 11 | Run security checks and smoke tests | Running security checks and smoke tests helps detect misconfigurations and security gaps before deployment. |