Rule catalog · Transport security

Server uses HTTPS

transport_uses_httpshighweight 10Perimeter

Authored by Stanley Hong · AgentReserve (founder).

The MCP endpoint is reached over HTTPS. Plain HTTP allows trivial credential and prompt leakage on any shared network path.

When this rule runs

Evaluated on every scan — observable from the URL, TLS handshake, or HTTP response headers, even when the MCP layer is auth-walled or unresponsive.

Why it matters

Anything sent to or from a plain-HTTP MCP server — credentials, prompts, tool arguments, results — can be read or modified by any party on the network path. Transport security is a precondition for every other trust property.

Pass condition

The submitted URL uses the https:// scheme.

Fail condition

The URL uses http:// or another non-TLS scheme.

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

```
{"protocol": "http:"}
```

Remediation

Serve the MCP endpoint over HTTPS with a valid certificate, and either redirect plain HTTP to HTTPS or refuse it outright.

Methodology

This rule belongs to the Transport security dimension. How the server is reached on the wire. Covers TLS and protocol-level confidentiality of probe traffic.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog