Security

The Zscaler MCP Server enforces five independent layers of defense, each with its own configuration and its own audit posture:

Layer	What it controls
Write operations	Whether the server can mutate tenant state at all. Disabled by default; opt-in with --enable-write-tools and an explicit allowlist.
HMAC elicitation confirmations	Whether destructive actions require a tamper-proof confirmation token (defaults to on for delete operations).
MCP Client Authentication	Who can connect to the server over HTTP transports (JWT, API-key, Zscaler OneAPI, or OIDCProxy).
TLS and hardening	Transport-layer protection, host header validation, source-IP ACL, allowed origins.
Output sanitization	Stripping prompt-injection payloads (BiDi marks, zero-width chars, HTML, code fences with role tokens) from tool responses before they leave the wire.

This section documents each layer independently — they compose, and you should pick the right combination for your deployment.

• Write Operations
• MCP Client Authentication
• TLS and Hardening
• Output Sanitization
• Process Lifecycle Management

Security defaults

The server’s defaults are aggressive:

• Read-only. No write tools are registered unless you explicitly turn them on.

• HTTP transports require auth. ZSCALER_MCP_AUTH_ENABLED defaults to true for SSE and streamable-HTTP.

• TLS-or-localhost. Plaintext HTTP is rejected on non-localhost binds unless ZSCALER_MCP_ALLOW_HTTP=true is set explicitly.

• Host header allowlist. Every HTTP request is checked against ZSCALER_MCP_ALLOWED_HOSTS (defaults to the bind address only).

• Output sanitization is on. Every tool response runs through the three-stage sanitizer before serialization.

The fastest path to a known-secure deployment: start with stdio (no HTTP surface, all defaults apply), then layer in HTTP only where you need a remote agent.

What the server does NOT protect

• The credentials in your .env file. Use a secrets manager (GCP Secret Manager, Azure Key Vault, AWS Secrets Manager) for production deployments.

• The Zscaler API itself. Tool calls hit the live tenant; an authenticated agent with write tools enabled can change live policy.

• The MCP client’s prompt history. Conversation context is the responsibility of whichever AI assistant is connected.

See also

• Toolsets — limiting the tool surface area is the cheapest mitigation against an over-privileged agent.

• Troubleshooting Guide — diagnostics for auth failures.