mcp-postgres-server

The server implements robust read-only query validation, blocking common SQL injection keywords (e.g., INSERT, UPDATE, DROP) and patterns (e.g., INTO OUTFILE, LOAD DATA). Queries are normalized by removing comments and excessive whitespace, and are limited by length (10,000 characters) and execution timeout (30 seconds). Internal tools (list_tables, describe_table) utilize parameterized queries. An optional 'insecure mode' allows write operations for development, but it's off by default and logs clear warnings when enabled. SSH tunneling is supported for secure remote connections, with various authentication methods. All credentials are sourced from environment variables, preventing hardcoding. A high score due to explicit and well-tested security measures, but not 10 as no system is perfectly impenetrable.