Hardening actions
- Last Updated: March 23, 2026
- 2 minute read
- OpenEdge
- Version 12.8
- Documentation
You apply hardening actions to a profile before export or during its transition from development to production. Hardening ensures that the deployment artifact is secure, optimized, and aligned with production standards.
The ./mcpgen harden <profile_name> command can be
executed either before export or on a development profile that is evolving toward production
readiness. Hardening removes unnecessary components, enforces security measures, and
improves supply chain integrity.
The following actions are applied during hardening:
| Action | Description |
|---|---|
| Drop verbose configuration | Prevents leaking default settings that may reveal unused features |
| Remove client directory | Avoids accidental misuse of embedded Service Account tokens |
| Replace image tag with digest | Ensures supply chain integrity by using immutable image references |
Production configuration examples
The following examples demonstrate different levels of hardening for production
environments.
- This example shows full production configuration with authentication, TLS,
and all hardening features:
{ "api": { "openapi": { "spec_file": "/work/server/openapi_oeping.yml" } }, "security": { "authentication": { "enabled": true, "service_account": { "enabled": true, "required": true, "mode": "jwt", "header": "X-OEMCP-SERVICEACCOUNT", "issuer": "https://your-auth-server.com", "required_scopes": ["mcp_access"], "jwks_uri": "https://your-auth-server.com/.well-known/jwks.json", "algorithms": ["RS256"], "jwks_cache_seconds": 300 }, "user_auth": { "enabled": false } } }, "runtime": { "max_request_bytes": 10240, "server": { "name": "openedge-mcp-production", "transport": { "type": "streamable-http", "host": "0.0.0.0", "port": 8500, "path": "/http", "tls": { "certfile": "/work/certs/localhost.pem", "keyfile": "/work/certs/localhost-key.pem", "require_client_cert": false } } }, "http": { "base_url": "http://3.13.139.192:8810", "response_guard": { "enabled": true, "mode": "trim", "max_array_items": 50, "max_response_bytes": 1048576 }, "limits": { "max_connections": 100, "max_keepalive_connections": 20 }, "tls": { "certs_dir": "/work/certs", "insecureSkipVerify": false, "ignoreHostVerification": false } }, "middleware": { "error_handling": { "enabled": true, "transform_errors": true, "include_traceback": false }, "logging": { "enabled": true, "structured": true, "include_payloads": false }, "request_timeout": { "enabled": true, "timeout_ms": 500 }, "method_validation": { "enabled": true }, "circuit_breaker": { "enabled": true, "error_threshold": 0.5, "window_seconds": 60, "min_requests": 10 }, "rate_limiting": { "enabled": true, "max_requests_per_second": 10.0, "burst_capacity": 20, "global": false }, "audit": { "enabled": true, "file": "/var/log/mcp/audit.log", "max_bytes": 10485760, "backup_count": 5, "mode": "append" } }, "tools": { "param_validation": { "enabled": true, "max_total_bytes": 32768, "max_string_length": 4096, "patterns": [ "javascript:", "data:text/html", "<script", "on[a-z]+=", "file:", "\\.\\./", "\\.\\.\\\\" ] } } }, "assistant": { "prompts": { "dir": "/work/server/prompts" } }, "observability": { "logging": { "level": "INFO", "json": true, "loggers": { "middleware.circuit_breaker": "WARNING", "middleware.timeout": "WARNING", "http.outbound": "INFO", "auth": "INFO" } } } } - This example shows minimal hardening configuration:
{ "api": { "openapi": { "spec_file": "openapi.yml", "base_url": "https://api.internal.example" } }, "security": { "authentication": { "enabled": true, "service_account": { "enabled": true, "required": true, "mode": "jwt", "header": "X-OEMCP-SERVICEACCOUNT", "issuer": "https://auth.example.com", "required_scopes": ["api.read", "api.write"], "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "algorithms": ["RS256", "ES256"], "jwks_cache_seconds": 300 }, "user_auth": { "enabled": false } } }, "runtime": { "max_request_bytes": 10240, "http": { "response_guard": { "enabled": true, "mode": "block", "max_array_items": 50, "max_response_bytes": 524288 }, "limits": { "max_connections": 100, "max_keepalive_connections": 20 }, "tls": { "certs_dir": "/etc/mcp/downstream-certs", "insecureSkipVerify": false, "ignoreHostVerification": false }, "accept_encoding": "none" }, "middleware": { "error_handling": { "enabled": true, "transform_errors": true, "include_traceback": false }, "logging": { "enabled": true, "structured": true, "include_payloads": false }, "request_timeout": { "enabled": true, "timeout_ms": 500 }, "method_validation": { "enabled": true }, "circuit_breaker": { "enabled": true, "error_threshold": 0.5, "window_seconds": 60, "min_requests": 10 }, "rate_limiting": { "enabled": true, "max_requests_per_second": 5.0, "burst_capacity": 10, "global": false }, "audit": { "enabled": true, "file": "/var/log/mcp/audit.log", "max_bytes": 1048576, "backup_count": 3, "mode": "append" } }, "tools": { "param_validation": { "enabled": true, "max_total_bytes": 32768, "max_string_length": 4096, "patterns": [ "javascript:", "data:text/html", "<script", "on[a-z]+=", "../" ] } } }, "observability": { "logging": { "level": "INFO", "json": true } } }
Key hardening features to enable
The following features should be enabled or configured for production
environments:
| Feature | Default behavior | Recommendation |
|---|---|---|
| Request timeout | 500 ms, enabled by default | Keep default or adjust based on workload |
| Method validation | Enabled by default | Required for all deployments |
| Circuit breaker | Opt-in | Recommended for production environments |
| Rate limiting | Opt-in | Recommended for public-facing deployments |
| Payload size limits | 10 KB default | Adjust if handling larger payloads |
| Connection pool limits | Not specified | Configure based on expected concurrency |
| Response guards | Not specified | Enable to prevent unsafe responses |