Cloudflare's MCP Security Playbook

Cloudflare is aggressively integrating the Model Context Protocol (MCP) across its operations, extending beyond engineering to product, sales, marketing, and finance teams. This broad adoption of agentic workflows, however, introduces significant security risks, including authorization sprawl, prompt injection, and supply chain vulnerabilities. To mitigate these, Cloudflare has built a unified security architecture by integrating controls from its Cloudflare One (SASE) and Cloudflare Developer platforms, ensuring AI governance doesn't impede workforce efficiency. This approach is detailed in their latest blog post.

The company is introducing two key concepts to bolster enterprise MCP deployments: Code Mode with MCP server portals, designed to slash token costs, and the use of Cloudflare Gateway for Shadow MCP detection, identifying unauthorized remote MCP servers.

Securing MCP Workflows with a Unified Architecture

Cloudflare's strategy prioritizes centralized management of MCP servers. Unlike potentially insecure, locally-hosted deployments that rely on unvetted software, Cloudflare manages its MCP server deployments through a dedicated team. This team developed a shared MCP platform within their monorepo, offering governed infrastructure out-of-the-box. Employees seeking to expose internal resources via MCP must first gain approval from the AI governance team. They then use a template to define tools and deploy, automatically inheriting default-deny write controls, audit logging, CI/CD pipelines, and secrets management.

This governed infrastructure allows for the rapid deployment of new MCP servers, with the governance built directly into the platform. These are deployed as remote MCP servers on custom domains via Cloudflare's developer platform, providing visibility and control over software sources. This setup also ensures low-latency access for employees globally, as servers are deployed across Cloudflare’s data center network.

Cloudflare Access: Authentication for Private Resources

While some MCP servers, like those for Cloudflare documentation, are public-facing, many are designed to access private corporate resources. These require robust user authentication to restrict access to authorized personnel only. Cloudflare's MCP server template integrates Cloudflare Access as its OAuth provider. This system secures login flows, issues access tokens, and aggregates identity verification through single sign-on (SSO), multifactor authentication (MFA), and contextual attributes like IP address and device certificates.

MCP Server Portals: Centralized Discovery and Governance

As the number of remote MCP servers grew, Cloudflare faced a discovery challenge. Their MCP server portals product offers a solution by unifying governance and control for all AI activity. Employees connect their MCP client to a portal, which then lists all authorized internal and third-party MCP servers. These portals also provide centralized logging, consistent policy enforcement, and data loss prevention (DLP) guardrails, allowing administrators to monitor access and prevent sensitive data, such as PII, from being shared inappropriately.

Administrators can define granular access policies, controlling who can access which portal and which tools from each MCP server are exposed. For example, a finance team might only access read-only tools for a code repository MCP server, while engineers could have broader read/write access.

Code Mode with MCP Server Portals: Reducing Token Costs

Cloudflare has identified a significant cost driver in MCP usage: the traditional method of defining a separate tool for every API operation. This approach quickly consumes an agent’s context window, especially for large platforms. Building on their experience with server-side Code Mode, which reduced token use by 99.9% for Cloudflare’s own MCP server, they are now making this capability available with MCP server portals.

This new pattern collapses all underlying MCP servers into just two portal tools: `portal_codemode_search` and `portal_codemode_execute`. The search tool allows the model to use a `codemode.tools()` function to discover available tool definitions on demand, significantly reducing the amount of schema information loaded into context. The execute tool acts as a proxy, enabling the model to write JavaScript that calls discovered tools directly, chaining operations, filtering results, and handling errors within a sandboxed environment powered by Dynamic Workers.

For instance, a workflow requiring a Jira ticket search and an update from Google Drive, which would traditionally involve multiple tool schemas and invocations, is streamlined. With Code Mode, the model first discovers exact tool names and parameters without loading full schemas. It then makes a single execute call to chain the operations. This approach collapses 52 tools from four internal MCP servers, which would consume approximately 9,400 tokens for definitions, down to just 2 portal tools consuming around 600 tokens, a 94% reduction. Crucially, this cost remains fixed as more MCP servers are connected.

Code Mode can be activated by appending `?codemode=search_and_execute` to the MCP server portal URL.

AI Gateway: Extensibility and Cost Controls

AI Gateway is integrated between the MCP client and the LLM to provide extensibility and cost management. This allows for easy switching between LLM providers, preventing vendor lock-in, and enforces token usage limits per employee.

Cloudflare Gateway: Shadow MCP Detection

To address unauthorized MCP server usage, Cloudflare employs Cloudflare Gateway, their secure web gateway. Using the Gateway API, they perform multi-layer scans to identify remote MCP servers not accessed via an MCP server portal. This is achieved through various selectors, including scanning for known MCP server hostnames (`mcp.stripe.com`), wildcard subdomain patterns (`mcp.*`), and specific URL paths (`/mcp`, `/mcp/sse`).

Additionally, DLP-based body inspection can detect MCP traffic even if the URI lacks explicit mentions. This is possible because MCP uses JSON-RPC over HTTP, embedding a "method" field in requests (e.g., "tools/call", "prompts/get"). Regex patterns are defined to identify these common MCP method calls and protocol versions within the HTTP body.

Custom DLP profiles can be configured to block, redirect, log, or inspect MCP payloads, enabling comprehensive detection of unauthorized remote MCP servers across an enterprise network. For detailed implementation guidance, a tutorial is available.