All posts
MCP Published 14 min

MCP stateless headers can leak secrets into every proxy log: the security checklist I run 22 days before July 28

The 2026-07-28 MCP spec drops sticky sessions and routes on Mcp-Method and Mcp-Name headers. That is a scaling win and a new exfiltration surface. Akamai and SecurityWeek flagged desync risk and accidental API-key mapping into headers visible to load balancers. Here is the pre-GA security checklist I run on gateways and remote servers.

Jigar JoshiJigar JoshiAgentic AI Architect and Consultant
In this post (7 sections)

Introduction

I spent June writing the four-week stateless migration checklist for teams deleting Redis session stores. That post assumes your biggest risk is a 502 when round-robin lands on the wrong instance. July brought a second risk profile: headers that carry routing metadata are now part of the security boundary, and every hop between client and server can log them.

The MCP release candidate locked May 21. Final publication is July 28, 2026. If you operate a remote MCP server behind a gateway, the transport rework is not just compatibility work. Request routing integrity, cross-user cache scope, and what gets written into Mcp-Method and Mcp-Name are security properties. This post is the security pass I run after the handle migration pass.

What changed in the stateless transport (security-relevant pieces)

  • Mcp-Method and Mcp-Name headers are required so gateways route without parsing bodies (SEP-2575/2567 cluster).
  • Protocol version and client capabilities move to _meta on every request instead of a one-time initialize exchange.
  • server/discover replaces implicit session negotiation for capability checks.
  • List and read responses must emit ttlMs and cacheScope so clients cache safely across users.
  • OAuth hardening from the RC remains: iss validation, OIDC application_type, scope accumulation.
Stateless MCP security surfaces
SurfaceScaling winSecurity gotcha
Mcp-Method / Mcp-Name routingRound-robin without sticky sessionsDesync if proxy and server disagree on header semantics
Header-based metadataNo body parse at edgeSecrets or PII mapped into headers leak to every hop
Client-side caching (ttlMs)Fewer tools/list callsWrong cacheScope exposes one user's tool list to another
Explicit tool handlesState in your DB, not protocol memoryHandle guessing or cross-tenant handle reuse
Deprecated Roots/Sampling/LoggingCleaner core specOne-year runway still requires a migration plan

The header leakage problem nobody puts in the happy-path doc

Akamai's threat research team called out a concrete failure mode: developers map sensitive inputs (API keys, bearer tokens, customer IDs) into MCP-specific headers because the gateway expects routing metadata there. Once a secret is in a header, it is visible to load balancers, reverse proxies, CDN logs, and WAF dashboards that were never in your threat model for tool arguments.

The fix is boring and enforceable: routing headers carry routing data only. Credentials stay in Authorization or in tool arguments after OAuth completes. Add a CI grep that fails builds if header templates reference env vars matching KEY, TOKEN, or SECRET patterns. Same discipline as MCP EMA for who reaches the connector, applied to what the connector puts on the wire.

Pre-GA security checklist (22 days to July 28)

  1. 01
    Audit gateway header forwarding rules
    Confirm Mcp-Method and Mcp-Name pass through unchanged and that no custom x-mcp-* headers are populated from user input or vault secrets. Log redaction at the edge should strip Authorization and any experimental MCP headers you added during pilot.
  2. 02
    Test desync and protocol confusion paths
    Send mismatched Mcp-Method values against tools/call bodies. If the gateway routes on headers but the server validates against the body, you have a desync window. Align validation on one source of truth.
  3. 03
    Verify cacheScope on tools/list and resources
    Cross-user cache bleed is a confidentiality bug. Hit tools/list as two different OAuth identities through the same gateway and confirm cache keys include tenant or user scope.
  4. 04
    Walk OAuth iss validation and scope accumulation
    Same six OAuth proposals from the RC. If you deferred EMA because OAuth fatigue blocked rollout, week 1 before GA is the pilot window, not GA day.
  5. 05
    Pen-test handle minting and replay
    Multi-step tools must mint handles bound to the authenticated principal. Replay of basket_id across tenants should fail closed. Pair with the handle migration steps in the stateless migration checklist.

How this fits your observability stack

Stateless MCP traffic looks like normal HTTP at the edge. That is good for SRE teams. It is bad if your agent observability stack only logged session IDs. Add Mcp-Method, handle IDs, cache hit/miss, and oauth_subject as required dimensions in the agent observability stack before cutover.

If you run MCP through Databricks Unity AI Gateway, confirm the gateway strips sensitive _meta fields at the trust boundary and does not mirror them into analytics exports.

Common mistakes before July 28

  • Treating header routing as "just infra" and skipping appsec review.
  • Deleting sticky sessions before cacheScope is correct on list endpoints.
  • Mapping bearer tokens into custom MCP headers for convenience.
  • Running EMA rollout and stateless cutover in the same maintenance window.
  • Assuming deprecated features disappear on GA day (12-month deprecation window).

Conclusion

July 28 simplifies MCP scaling if you did the handle migration first. It also moves security guarantees from the protocol session layer into your gateway config, header hygiene, and cache semantics. Run the migration checklist for availability. Run this checklist so secrets do not become log lines. Stateless MCP should be boring on purpose.

Sources: MCP 2026-07-28 release candidate at https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/; SecurityWeek enterprise MCP security analysis; Akamai threat research on MCP header leakage cited in SecurityWeek June 2026.

The weekly take

Agentic AI patterns, delivered Thursdays

What I am shipping, watching, and pruning out of client stacks each week. One email. No fluff.

Shipping an agentic AI project this quarter?
Book a 30-min consult
Frequently asked

Questions readers ask about this post

Share this post
LinkedIn Facebook