mav-postgresql-mcp-server

The server demonstrates strong security practices: - Comprehensive `validateQuery` function blocks dangerous SQL patterns (file system ops, permission changes, admin commands, external network ops, extension ops). - Crucially, all read-only queries are wrapped in `BEGIN TRANSACTION READ ONLY` to enforce read-only access at the database level, preventing accidental or malicious writes. - Identifiers (table, column, schema names) are validated and escaped using `safeIdentifier` to prevent SQL injection for these elements. - Sensitive system tables (e.g., `pg_authid`) are explicitly blocked. - Configurable rate limiting, query timeouts, and max results prevent resource exhaustion and data exfiltration. - Credentials are loaded from environment variables, avoiding hardcoded secrets. - Full SSL/TLS support with configurable modes and certificate paths is available. - Audit logging tracks all database operations, especially writes. The only minor point of improvement could be stronger blocking for 'sensitive patterns' rather than just warnings, depending on the operational context, but the overall approach is excellent.