shotgrid-mcp-server

The `download_file` utility in `src/shotgrid_mcp_server/utils.py` contains fallback mechanisms that disable SSL certificate verification (`ssl.CERT_NONE`, `ssl._create_unverified_context()`). While presented as a last resort, this introduces a critical vulnerability to Man-in-the-Middle attacks, compromising data integrity for downloaded files (e.g., thumbnails). Additionally, the default HTTP/ASGI server deployments (e.g., `uvicorn shotgrid_mcp_server.asgi:app`) do not include built-in authentication or HTTPS enforcement. Although the documentation correctly advises users to implement these via middleware in production, the lack of an enforced secure-by-default configuration for remote access relies heavily on user vigilance, increasing the risk of insecure deployments. No hardcoded secrets were found in core server logic.