Yaw MCP Blog

Articles on running MCP servers in production.

The Postgres MCP everyone is still using has a known SQLi

2026-05-14 · Jeff Yaw

~500,000 monthly downloads of @modelcontextprotocol/server-postgres -- a deprecated server with a published stacked-query SQL injection that the BEGIN READ ONLY wrapper does not catch. Why string-parser defenses lose, the structural fix via the extended query protocol, and a drop-in replacement that ships it.

An Alternative to the Official AWS MCP Server

2026-05-13 · Jeff Yaw

AWS just GA'd their MCP server. Here is a Node-only alternative with a device-code SSO re-login that survives Windows browser-handoff drops, CCAPI CRUD with dry-run diffs, multi-region fan-out in one call, IAM pre-flight checks, and a JS scripting sandbox.

Getting Started with MCP: Connect Your AI to Your Tools in 10 Minutes

2026-04-19 · Jeff Yaw

What MCP is, why it matters, and a 10-minute walkthrough that connects your AI assistant to files on your machine - works in Claude Desktop, Cursor, VS Code with GitHub Copilot, and any other MCP client. Plus where to go when editing JSON config by hand stops scaling.

The MCP Server Security Checklist: 10 Practices for Production

2026-04-16 · Jeff Yaw

SSRF defense, credential handling, tenant isolation, rate limiting, dependency pinning, and more - the 10-point checklist for hardening an MCP server before it goes to production.

How to Test an MCP Server for Spec Compliance in One Command

2026-04-15 · Jeff Yaw

One npx command, a full compliance suite, a letter grade. How @yawlabs/mcp-compliance catches protocol-level bugs your CI pipeline misses - with CI integration, badges, and Claude Code MCP-server mode.

OAuth Is Where Remote MCP Servers Break in Production

2026-04-14 · Jeff Yaw

Token refresh mid-session, reconnect session persistence, multi-tenant isolation, API key rotation without downtime, per-tenant rate limiting - the five auth failure modes that split "works locally" from "works in production".

We Tested MCP Servers Against the 2025-11-25 Spec - Here Is What We Found

2026-04-13 · Jeff Yaw

An 88-test compliance suite across 8 categories - including 23 on security alone. What most MCP servers get right, where they fall apart, and five suggestions for the spec.

The Hidden Cost of 200 MCP Tools in Context

2026-04-10 · Jeff Yaw

Every MCP tool definition costs tokens, money, latency, and LLM attention. Here is the math on what 136 tools actually costs - and how to cut it by 60%.

Managing MCP Servers Across a Team

2026-03-29 · Jeff Yaw

N developers × M servers × P machines = config drift, secret sprawl, and onboarding friction. Here is how centralized config solves it.

Stop Juggling MCP Servers

2026-03-20 · Jeff Yaw

mcp.hosting is one install that orchestrates all your MCP servers. One config entry, one token, cloud-managed everything else.

The Complete Guide to MCP Server Configuration

2026-03-08 · Jeff Yaw

How .mcp.json works, where every client stores config, project vs. global scopes, and the gotchas that trip people up.