mcp-postgres

The project demonstrates strong security practices. SQL queries use parameterized statements and identifier escaping to prevent injection. API keys are managed via environment variables and validated with `timingSafeEqual`. TOTP-based 2FA with brute-force protection is implemented for `llm-app`. Cross-Origin Resource Sharing (CORS) is explicitly configured. Sensitive data is sanitized from logs and error messages. Durable Objects are used for secure state persistence. Content Security Policy (CSP) and other security headers are enforced for frontend assets. Inputs and LLM outputs are truncated to prevent context window attacks and excessive costs, and markdown content is sanitized for XSS prevention. Default settings prioritize fail-closed security for unauthenticated access. Minor improvements could involve stricter input validation on all API endpoints or more frequent key rotation policies.