chromadb-remote-mcp

The server demonstrates a very strong commitment to security. It includes extensive measures such as input sanitization (preventing log injection, ANSI escape sequences, prototype pollution), strict origin header validation (DNS rebinding protection), a comprehensive set of security headers (CSP, HSTS, X-Frame-Options, etc.), rate limiting, and timing-safe token comparison to prevent timing attacks. Authentication is unified across MCP and REST API endpoints, with warnings for less secure query parameter authentication in production. The project actively uses static analysis tools (DeepSource, CodeQL, Dependabot) and has a detailed security policy. No `eval` or obfuscation was found. The core functionality as a proxy for ChromaDB means it mediates access and enhances security for the underlying database, which is typically not exposed directly. It does, however, expose an `/mcp` endpoint and a proxied `/api/v2/*` for ChromaDB, requiring careful configuration of `MCP_AUTH_TOKEN` for public deployments.