IBM · crivetimihai · Aug 17, 2025 · Aug 16, 2025 · Aug 16, 2025 · Aug 17, 2025
@@ -82,13 +82,15 @@ PROTOCOL_VERSION=2025-03-26
 #####################################
 
 # Admin UI basic-auth credentials
+# PRODUCTION: Change these to strong, unique values!
 BASIC_AUTH_USER=admin
 BASIC_AUTH_PASSWORD=changeme
 
 # Require any form of authentication (true or false)
 AUTH_REQUIRED=true
 
 # Secret used to sign JWTs (use long random value in prod)
+# PRODUCTION: Use a strong, random secret (minimum 32 characters)
 JWT_SECRET_KEY=my-test-key
 
 # Algorithm used to sign JWTs (e.g., HS256)
@@ -119,9 +121,11 @@ AUTH_ENCRYPTION_SECRET=my-test-salt
 #####################################
 
 # Enable the visual Admin UI (true/false)
+# PRODUCTION: Set to false for security
 MCPGATEWAY_UI_ENABLED=true
 
 # Enable the Admin API endpoints (true/false)
+# PRODUCTION: Set to false for security
 MCPGATEWAY_ADMIN_API_ENABLED=true
 
 # Enable bulk import endpoint for tools (true/false)
@@ -157,6 +161,57 @@ ALLOWED_ORIGINS='["http://localhost", "http://localhost:4444"]'
 # Enable CORS handling in the gateway
 CORS_ENABLED=true
 
+# CORS allow credentials (true/false)
+CORS_ALLOW_CREDENTIALS=true
+
+# Environment setting (development/production) - affects security defaults
+# development: Auto-configures CORS for localhost:3000, localhost:8080, etc.
+# production: Uses APP_DOMAIN for HTTPS origins, enforces secure cookies
+ENVIRONMENT=development
+
+# Domain configuration for production CORS origins
+# In production, automatically creates origins: https://APP_DOMAIN, https://app.APP_DOMAIN, https://admin.APP_DOMAIN
+# For production: set to your actual domain (e.g., mycompany.com)
+APP_DOMAIN=localhost
+
+# Security settings for cookies
+# production: Automatically enables secure cookies regardless of this setting
+# development: Set to false for HTTP development, true for HTTPS
+SECURE_COOKIES=true
+
+# Cookie SameSite attribute for CSRF protection
+# strict: Maximum security, may break some OAuth flows
+# lax: Good balance of security and compatibility (recommended)
+# none: Requires Secure=true, allows cross-site usage
+COOKIE_SAMESITE=lax
+
+#####################################
+# Security Headers Configuration
+#####################################
+
+# Enable security headers middleware (true/false)
+SECURITY_HEADERS_ENABLED=true
+
+# X-Frame-Options setting (DENY, SAMEORIGIN, or ALLOW-FROM uri)
+# DENY: Prevents all iframe embedding (recommended for security)
+# SAMEORIGIN: Allows embedding from same domain only
+# To disable: Set to empty string X_FRAME_OPTIONS=""
+X_FRAME_OPTIONS=DENY
+
+# Other security headers (true/false)
+X_CONTENT_TYPE_OPTIONS_ENABLED=true
+X_XSS_PROTECTION_ENABLED=true
+X_DOWNLOAD_OPTIONS_ENABLED=true
+
+# HSTS (HTTP Strict Transport Security) settings
+HSTS_ENABLED=true
+# HSTS max age in seconds (31536000 = 1 year)
+HSTS_MAX_AGE=31536000
+HSTS_INCLUDE_SUBDOMAINS=true
+
+# Remove server identification headers (true/false)
+REMOVE_SERVER_HEADERS=true
+
 # Enable HTTP Basic Auth for docs endpoints (in addition to Bearer token auth)
 # Uses the same credentials as BASIC_AUTH_USER and BASIC_AUTH_PASSWORD
 DOCS_ALLOW_BASIC_AUTH=false

@@ -1389,7 +1389,7 @@ install-web-linters:
 nodejsscan:
 	@echo "🔒 Running nodejsscan for JavaScript security vulnerabilities..."
 	$(call ensure_pip_package,nodejsscan)
-	@$(VENV_DIR)/bin/nodejsscan --directory ./mcpgateway/static || true
+	@$(VENV_DIR)/bin/nodejsscan --directory ./mcpgateway/static --directory ./mcpgateway/templates || true
 
 lint-web: install-web-linters nodejsscan
 	@echo "🔍 Linting HTML files..."

@@ -1053,10 +1053,28 @@ You can get started by copying the provided [.env.example](.env.example) to `.en
 | Setting                   | Description                    | Default                                        | Options    |
 | ------------------------- | ------------------------------ | ---------------------------------------------- | ---------- |
 | `SKIP_SSL_VERIFY`         | Skip upstream TLS verification | `false`                                        | bool       |
-| `ALLOWED_ORIGINS`         | CORS allow-list                | `["http://localhost","http://localhost:4444"]` | JSON array |
+| `ENVIRONMENT`             | Deployment environment (affects security defaults) | `development`                              | `development`/`production` |
+| `APP_DOMAIN`              | Domain for production CORS origins | `localhost`                                 | string     |
+| `ALLOWED_ORIGINS`         | CORS allow-list                | Auto-configured by environment                 | JSON array |
 | `CORS_ENABLED`            | Enable CORS                    | `true`                                         | bool       |
+| `CORS_ALLOW_CREDENTIALS`  | Allow credentials in CORS      | `true`                                         | bool       |
+| `SECURE_COOKIES`          | Force secure cookie flags     | `true`                                         | bool       |
+| `COOKIE_SAMESITE`         | Cookie SameSite attribute      | `lax`                                          | `strict`/`lax`/`none` |
+| `SECURITY_HEADERS_ENABLED` | Enable security headers middleware | `true`                                     | bool       |
+| `X_FRAME_OPTIONS`         | X-Frame-Options header value   | `DENY`                                         | `DENY`/`SAMEORIGIN` |
+| `HSTS_ENABLED`            | Enable HSTS header             | `true`                                         | bool       |
+| `HSTS_MAX_AGE`            | HSTS max age in seconds        | `31536000`                                     | int        |
+| `REMOVE_SERVER_HEADERS`   | Remove server identification   | `true`                                         | bool       |
 | `DOCS_ALLOW_BASIC_AUTH`   | Allow Basic Auth for docs (in addition to JWT)         | `false`                                        | bool       |
 
+> **CORS Configuration**: When `ENVIRONMENT=development`, CORS origins are automatically configured for common development ports (3000, 8080, gateway port). In production, origins are constructed from `APP_DOMAIN` (e.g., `https://yourdomain.com`, `https://app.yourdomain.com`). You can override this by explicitly setting `ALLOWED_ORIGINS`.
+>
+> **Security Headers**: The gateway automatically adds configurable security headers to all responses including CSP, X-Frame-Options, X-Content-Type-Options, X-Download-Options, and HSTS (on HTTPS). All headers can be individually enabled/disabled. Sensitive server headers are removed.
+>
+> **iframe Embedding**: By default, `X-Frame-Options: DENY` prevents iframe embedding for security. To allow embedding, set `X_FRAME_OPTIONS=SAMEORIGIN` (same domain) or disable with `X_FRAME_OPTIONS=""`. Also update CSP `frame-ancestors` directive if needed.
+>
+> **Cookie Security**: Authentication cookies are automatically configured with HttpOnly, Secure (in production), and SameSite attributes for CSRF protection.
+>
 > Note: do not quote the ALLOWED_ORIGINS values, this needs to be valid JSON, such as:
 > ALLOWED_ORIGINS=["http://localhost", "http://localhost:4444"]
 >

@@ -236,7 +236,7 @@ Applications consuming data from MCP Gateway should:
 
 - **Never trust data implicitly** - validate all inputs
 - **Implement context-appropriate sanitization** for their UI framework
-- **Use Content Security Policy (CSP)** headers
+- **Use Content Security Policy (CSP)** headers (automatically provided by MCP Gateway)
 - **Escape data appropriately** for the output context (HTML, JavaScript, SQL, etc.)
 - **Implement their own authentication** and authorization
 - **Monitor for security anomalies** in rendered content
@@ -261,7 +261,9 @@ When deploying MCP Gateway in production:
 - [ ] Configure resource limits (CPU, memory) to prevent DoS attacks
 - [ ] Implement proper secrets management (never hardcode credentials)
 - [ ] Set up structured logging without exposing sensitive data
-- [ ] Configure CORS policies appropriately for your clients
+- [ ] Configure CORS policies appropriately for your clients (auto-configured by ENVIRONMENT setting)
+- [ ] Verify security headers are working (automatically added by SecurityHeadersMiddleware)
+- [ ] Configure iframe embedding policy (X-Frame-Options: DENY by default, set to SAMEORIGIN if embedding needed)
 - [ ] Disable debug mode and verbose error messages in production
 - [ ] Implement backup and disaster recovery procedures
 - [ ] Document incident response procedures