webMCP is an AI web interaction optimization toolkit that reduces token usage by 67.6% on average while maintaining response quality. It provides tools for JavaScript, Python, React, and WordPress.

How much can I save with webMCP?

webMCP typically reduces AI token usage by 65-75%, resulting in significant cost savings. Our case studies show savings of $15K+ per month for high-volume applications.

Which AI models does webMCP support?

webMCP supports all major AI models including GPT-4, GPT-4o, Claude 3.5 Sonnet, Gemini Pro, and more. It automatically optimizes for your target model.

Security Overview

Comprehensive security framework for webMCP. Enterprise-grade protection for your AI-optimized web applications.

Security Features

Multi-layered security architecture protecting your data and applications

CSRF Protection

Cross-Site Request Forgery protection with token validation

Automatic token generation
Request validation
Configurable token expiry
Double-submit cookie pattern

Learn more

JWT Authentication

JSON Web Token based authentication and authorization

Secure token signing
Configurable expiration
Scope-based permissions
Automatic token refresh

Learn more

Data Encryption

End-to-end encryption for sensitive data protection

AES-256 encryption
JWE payload encryption
Key rotation support
Field-level encryption

Learn more

Access Control

Role-based access control and permission management

Role-based permissions
API key scoping
Rate limiting
Audit logging

Learn more

Security Architecture

Multi-layered security approach for comprehensive protection

Transport Layer

HTTPS/TLS encryption for all communications

TLS 1.3Certificate PinningHSTS

Authentication Layer

Identity verification and token management

JWT TokensAPI KeysOAuth 2.0

Authorization Layer

Permission-based access control

RBACScoped PermissionsResource ACLs

Data Protection Layer

Encryption and data sanitization

AES-256JWEField Encryption

Application Layer

Input validation and CSRF protection

CSRF TokensInput SanitizationXSS Protection

Threat Model & Mitigations

Comprehensive analysis of security threats and our mitigation strategies

Threat	Description	Mitigation	Severity
Cross-Site Request Forgery (CSRF)	Malicious websites performing unauthorized actions	CSRF tokens and SameSite cookie attributes	High
Cross-Site Scripting (XSS)	Injection of malicious scripts into web pages	Input sanitization and Content Security Policy	High
Man-in-the-Middle (MITM)	Interception of communications between client and server	TLS encryption and certificate pinning	High
API Key Compromise	Unauthorized access through compromised API keys	Key rotation, scoping, and monitoring	Medium
Data Breach	Unauthorized access to sensitive user data	Encryption, access controls, and audit logging	High
Denial of Service (DoS)	Overwhelming system resources to cause unavailability	Rate limiting, load balancing, and DDoS protection	Medium

Security Best Practices

Guidelines for implementing secure webMCP applications

API Security

Use HTTPS Everywhere

Always use HTTPS for all API communications

Configure TLS certificates and enforce HTTPS redirects

Implement Rate Limiting

Prevent abuse with configurable rate limits

Set per-user and per-IP rate limits based on usage patterns

Validate All Inputs

Sanitize and validate all user inputs

Use schema validation and input sanitization libraries

Authentication

Strong JWT Secrets

Use cryptographically secure secrets for JWT signing

Generate secrets with at least 256 bits of entropy

Token Expiration

Set appropriate token expiration times

Use short-lived access tokens with refresh token rotation

Secure Token Storage

Store tokens securely on client side

Use httpOnly cookies or secure storage mechanisms

Data Protection

Encrypt Sensitive Data

Encrypt PII and sensitive form data

Use field-level encryption for sensitive elements

Secure Key Management

Implement proper key rotation and storage

Use HSM or key management services for production

Data Minimization

Only collect and process necessary data

Implement data retention policies and automatic cleanup

Security Configuration Examples

Practical examples for implementing security features

Basic Security Configuration

Enable core security features

import { WebMCPProcessor } from '@webmcp/core';

const processor = new WebMCPProcessor({
  security: {
    // Enable CSRF protection
    enableCSRF: true,
    csrfTokenExpiry: 3600, // 1 hour
    
    // JWT configuration
    jwt: {
      secret: process.env.JWT_SECRET,
      expiresIn: '1h',
      scopes: ['webmcp:read', 'webmcp:write']
    },
    
    // Data encryption
    encryption: {
      method: 'jwe',
      algorithm: 'A256GCM',
      keyRotationInterval: 86400 // 24 hours
    },
    
    // Rate limiting
    rateLimit: {
      windowMs: 60000, // 1 minute
      maxRequests: 100,
      skipSuccessfulRequests: false
    }
  }
});

Advanced Security Setup

Production-ready security configuration

const securityConfig = {
  // HTTPS enforcement
  httpsOnly: true,
  hsts: {
    maxAge: 31536000, // 1 year
    includeSubDomains: true,
    preload: true
  },
  
  // Content Security Policy
  csp: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"]
    }
  },
  
  // Security headers
  headers: {
    'X-Frame-Options': 'DENY',
    'X-Content-Type-Options': 'nosniff',
    'X-XSS-Protection': '1; mode=block',
    'Referrer-Policy': 'strict-origin-when-cross-origin'
  },
  
  // Audit logging
  audit: {
    enabled: true,
    logLevel: 'info',
    sensitiveFields: ['password', 'ssn', 'creditCard'],
    retention: 90 // days
  }
};

const processor = new WebMCPProcessor({ security: securityConfig });

Secure Your Implementation

Dive deeper into specific security features and implementation details

CSRF Protection JWT Auth Encryption Configuration