mcp-server-playground

The server uses standard security practices for Express applications, including `helmet` for security headers and `express-rate-limit` for rate limiting. Input validation is rigorously enforced using Zod schemas for all tool and API inputs, significantly reducing injection risks. Secrets such as JWT keys and Auth0 credentials are designed to be loaded from environment variables, preventing hardcoding. The OAuth proxy implementation addresses the security concerns of dynamic client registration by delegating authorization to a third-party provider (Auth0) while managing local client registration and token flows using PKCE. The CORS header `Access-Control-Allow-Origin: *` is broadly permissive, which is acceptable for a 'playground' but would typically be narrowed in a production environment. The integration with AWS Bedrock for the `aws-ecs` tool has a maximum output token limit, and the prompt construction relies on stringifying internal data, reducing direct injection risk into the LLM prompt itself.