MCP stateless headers can leak secrets into every proxy log: the security checklist I run 22 days before July 28
The 2026-07-28 MCP spec drops sticky sessions and routes on Mcp-Method and Mcp-Name headers. That is a scaling win and a new exfiltration surface. Akamai and SecurityWeek flagged desync risk and accidental API-key mapping into headers visible to load balancers. Here is the pre-GA security checklist I run on gateways and remote servers.
In this post (7 sections)
Introduction
I spent June writing the four-week stateless migration checklist for teams deleting Redis session stores. That post assumes your biggest risk is a 502 when round-robin lands on the wrong instance. July brought a second risk profile: headers that carry routing metadata are now part of the security boundary, and every hop between client and server can log them.
The MCP release candidate locked May 21. Final publication is July 28, 2026. If you operate a remote MCP server behind a gateway, the transport rework is not just compatibility work. Request routing integrity, cross-user cache scope, and what gets written into Mcp-Method and Mcp-Name are security properties. This post is the security pass I run after the handle migration pass.
What changed in the stateless transport (security-relevant pieces)
- Mcp-Method and Mcp-Name headers are required so gateways route without parsing bodies (SEP-2575/2567 cluster).
- Protocol version and client capabilities move to _meta on every request instead of a one-time initialize exchange.
- server/discover replaces implicit session negotiation for capability checks.
- List and read responses must emit ttlMs and cacheScope so clients cache safely across users.
- OAuth hardening from the RC remains: iss validation, OIDC application_type, scope accumulation.
The header leakage problem nobody puts in the happy-path doc
Akamai's threat research team called out a concrete failure mode: developers map sensitive inputs (API keys, bearer tokens, customer IDs) into MCP-specific headers because the gateway expects routing metadata there. Once a secret is in a header, it is visible to load balancers, reverse proxies, CDN logs, and WAF dashboards that were never in your threat model for tool arguments.
The fix is boring and enforceable: routing headers carry routing data only. Credentials stay in Authorization or in tool arguments after OAuth completes. Add a CI grep that fails builds if header templates reference env vars matching KEY, TOKEN, or SECRET patterns. Same discipline as MCP EMA for who reaches the connector, applied to what the connector puts on the wire.
Pre-GA security checklist (22 days to July 28)
- 01Audit gateway header forwarding rulesConfirm Mcp-Method and Mcp-Name pass through unchanged and that no custom x-mcp-* headers are populated from user input or vault secrets. Log redaction at the edge should strip Authorization and any experimental MCP headers you added during pilot.
- 02Test desync and protocol confusion pathsSend mismatched Mcp-Method values against tools/call bodies. If the gateway routes on headers but the server validates against the body, you have a desync window. Align validation on one source of truth.
- 03Verify cacheScope on tools/list and resourcesCross-user cache bleed is a confidentiality bug. Hit tools/list as two different OAuth identities through the same gateway and confirm cache keys include tenant or user scope.
- 04Walk OAuth iss validation and scope accumulationSame six OAuth proposals from the RC. If you deferred EMA because OAuth fatigue blocked rollout, week 1 before GA is the pilot window, not GA day.
- 05Pen-test handle minting and replayMulti-step tools must mint handles bound to the authenticated principal. Replay of basket_id across tenants should fail closed. Pair with the handle migration steps in the stateless migration checklist.
How this fits your observability stack
Stateless MCP traffic looks like normal HTTP at the edge. That is good for SRE teams. It is bad if your agent observability stack only logged session IDs. Add Mcp-Method, handle IDs, cache hit/miss, and oauth_subject as required dimensions in the agent observability stack before cutover.
If you run MCP through Databricks Unity AI Gateway, confirm the gateway strips sensitive _meta fields at the trust boundary and does not mirror them into analytics exports.
Common mistakes before July 28
- Treating header routing as "just infra" and skipping appsec review.
- Deleting sticky sessions before cacheScope is correct on list endpoints.
- Mapping bearer tokens into custom MCP headers for convenience.
- Running EMA rollout and stateless cutover in the same maintenance window.
- Assuming deprecated features disappear on GA day (12-month deprecation window).
Conclusion
July 28 simplifies MCP scaling if you did the handle migration first. It also moves security guarantees from the protocol session layer into your gateway config, header hygiene, and cache semantics. Run the migration checklist for availability. Run this checklist so secrets do not become log lines. Stateless MCP should be boring on purpose.
Sources: MCP 2026-07-28 release candidate at https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/; SecurityWeek enterprise MCP security analysis; Akamai threat research on MCP header leakage cited in SecurityWeek June 2026.
Agentic AI patterns, delivered Thursdays
What I am shipping, watching, and pruning out of client stacks each week. One email. No fluff.