MCP Guardian
Security, cost, and health governance proxy for MCP infrastructure. Enforces YAML-configurable security policies (blocklists, rate limits, token budgets), tracks real token costs via tiktoken, monitors server health with live JSON-RPC probes. Feature
What is MCP Guardian?
MCP Guardian is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to security, cost, and health governance proxy for mcp infrastructure. enforces yaml-configurable security policies (blocklists, rate limits, token budgets), tracks real token costs via tiktoken, monitor...
Security, cost, and health governance proxy for MCP infrastructure. Enforces YAML-configurable security policies (blocklists, rate limits, token budgets), tracks real token costs via tiktoken, monitors server health with live JSON-RPC probes. Feature
This server falls under the Security and Monitoring & Observability categories on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Security, cost, and health governance proxy for MCP infrastr
Use Cases
Maintainer
Works with
Installation
NPM
npx -y @mcp-guardian/serverManual Installation
npx -y @mcp-guardian/serverConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use MCP Guardian
MCP Guardian is a security, cost, and health governance proxy that wraps your existing MCP servers and enforces configurable policies before any tool call reaches them. It blocks dangerous patterns like shell injection, path traversal, and secret exfiltration using YAML-defined rules, tracks real token costs per call, monitors server health via live JSON-RPC probes, and logs every invocation to a local SQLite audit database. Developers and teams running multiple MCP servers use it to add a centralized security layer, enforce rate limits and token budgets, and get a web dashboard view of all MCP activity.
Prerequisites
- Node.js 18 or higher and npm installed
- At least one existing MCP server already configured in a supported client (Cursor, Claude Desktop, Cline, or Windsurf)
- Optional: Ollama running locally (http://127.0.0.1:11434) if you want AI-powered semantic policy features
- An MCP-compatible client such as Claude Desktop or Cursor
Install MCP Guardian globally
Install the @mcp-guardian/server package from npm. This makes the mcp-guardian CLI available system-wide.
npm install -g @mcp-guardian/server@latestRun the onboarding wizard
The onboard command auto-discovers MCP configurations for Cursor, Claude Desktop, Cline, and Windsurf and wraps them with the guardian proxy. The --apply flag writes the changes immediately.
mcp-guardian onboard --applyStart the guardian proxy
Start the MCP Guardian proxy and dashboard. By default the web UI is available at http://localhost:4000.
mcp-guardian startVerify your installation
Run the doctor command to validate that guardian is correctly intercepting your MCP servers and that all components are healthy.
mcp-guardian doctorConfigure security policies
Create or edit a YAML policy file to define rules. You can allow/block specific tools, set rate limits (maxCallsPerMinute), and add pattern-based blocklist rules. Point guardian to your policy file with MCP_GUARDIAN_POLICY.
version: '1.0'
policy:
mode: block
rules:
- name: allow-safe-tools
action: block
tools:
allow: [read_file, list_directory]
- name: rate-limit
maxCallsPerMinute: 60Review the audit dashboard
Open http://localhost:4000 in your browser to see the MCP Guardian web dashboard. It shows allowed/blocked calls, cost estimates, threat detection, security scoring, and operations metrics.
MCP Guardian Examples
Client configuration
After running mcp-guardian onboard --apply, your MCP client config will be updated automatically. The environment variables below configure the audit DB path, dashboard port, and policy file.
{
"mcpServers": {
"guardian": {
"command": "npx",
"args": ["-y", "@mcp-guardian/server"],
"env": {
"MCP_GUARDIAN_DB_PATH": "~/.mcp-guardian/history.db",
"DASHBOARD_PORT": "4000",
"MCP_GUARDIAN_POLICY": "/path/to/policy.yaml",
"MCP_GUARDIAN_RETENTION_DAYS": "30"
}
}
}
}Prompts to try
Example prompts that demonstrate MCP Guardian's governance capabilities when used alongside other MCP servers.
- "Show me all MCP tool calls blocked in the last 24 hours"
- "What is the total token cost from MCP calls this week?"
- "Are any of my MCP servers currently unhealthy or unresponsive?"
- "List any suspicious tool call patterns detected today"Troubleshooting MCP Guardian
mcp-guardian onboard does not detect my Claude Desktop or Cursor config
Ensure your MCP client config files exist at their default locations: ~/Library/Application Support/Claude/claude_desktop_config.json (Claude Desktop on macOS) or ~/.cursor/mcp.json (Cursor). Run mcp-guardian doctor after onboarding to confirm detection.
Dashboard at localhost:4000 is not accessible after mcp-guardian start
Check whether port 4000 is already in use with lsof -i :4000. Set a different port with the DASHBOARD_PORT environment variable before starting. Also ensure DASHBOARD_ENABLED is not set to false.
Policy file changes are not taking effect
MCP Guardian reads the policy file at startup. After editing your YAML policy, restart the guardian process with mcp-guardian start. Confirm the MCP_GUARDIAN_POLICY env var points to the correct absolute path.
Frequently Asked Questions about MCP Guardian
What is MCP Guardian?
MCP Guardian is a Model Context Protocol (MCP) server that security, cost, and health governance proxy for mcp infrastructure. enforces yaml-configurable security policies (blocklists, rate limits, token budgets), tracks real token costs via tiktoken, monitors server health with live json-rpc probes. feature It connects AI assistants to external tools and data sources through a standardized interface.
How do I install MCP Guardian?
Install via npm with the command: npx -y @mcp-guardian/server. Then add the server configuration to your AI client's JSON config file (e.g., claude_desktop_config.json or .cursor/mcp.json).
Which AI clients work with MCP Guardian?
MCP Guardian works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is MCP Guardian free to use?
Yes, MCP Guardian is open source and available under the MIT License license. You can use it freely in both personal and commercial projects.
MCP Guardian Alternatives — Similar Security Servers
Looking for alternatives to MCP Guardian? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up MCP Guardian in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use MCP Guardian?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.