How to Secure Your MCP Server Against Tool Poisoning and Prompt Injection

Defending against MCP tool description poisoning, markdown image exfiltration, conversation JSON spoofing, and the credential crisis across 5,000 servers running on static API keys

Feb 19, 2026

∙ Paid

0x00

Last article, I showed you three ways to gut an MCP deployment. Tool description poisoning. Conversation JSON spoofing. Markdown image exfil. All landed. All trivial.

Now here’s the thing. I had fun building those demos. But I also run MCP servers in prod. So the question I kept asking myself while writing the attack piece was: how do I stop me?

Turns out most of the defenses already exist. They’re just not turned on. The MCP spec ships with a trust model that assumes every tool description is benign, every server is honest, and every output is safe to render. Three assumptions, three attack chains. Let’s kill each one.

The playbook is simple: verify what you load, sanitize what you render, and scope the blast radius for when both fail. Because they will.

MCP security overview showing three attack vectors from companion article and the defense strategy of verify, sanitize, and contain

Signal boost this.
Share

0x01: Pin It, Hash It, Scan It

In the poison article, I embedded <IMPORTANT> directives inside a tool’s description field. The model read them as instructions from god. The user saw nothing. That’s the whole attack.

The defense has three layers.

Continue reading this post for free, courtesy of ToxSec.

Or purchase a paid subscription.