OECD-MCP-server

The server demonstrates strong security practices including robust input validation (Zod schemas, custom filter sanitization in `sdmx-client.ts` to prevent SSRF and injection attacks), and comprehensive error message sanitization (`sanitizeErrorMessage` in `http-server.ts`) to prevent information leakage like file paths, database credentials, or stack traces. The Docker and Kubernetes configurations (`docker-compose.yml`, `k8s-deployment.yaml`) include excellent container security settings such as read-only filesystems, `runAsNonRoot`, `no-new-privileges`, and capabilities drops, significantly hardening the deployment. Internal rate limiting in `sdmx-client.ts` helps protect the upstream OECD API. The `http-server.ts` uses `cors()` without specific origin restrictions, allowing all origins by default. While common for public APIs, in a production environment, this should ideally be configured to whitelist specific allowed origins. However, the Kubernetes Ingress configuration does implement an application-level `nginx.ingress.kubernetes.io/rate-limit: "100"` to mitigate denial-of-service attacks.