MCP-017: Non-HTTPS Remote HTTP Server URL - MCP

Summary

• Rule ID: MCP-017
• Severity: HIGH
• Category: MCP
• Normative Level: MUST
• Auto-Fix: No
• Verified On: 2026-02-13

Applicability

• Tool: all
• Version Range: unspecified
• Spec Revision: 2025-11-25

Evidence Sources

• https://modelcontextprotocol.io/specification/2025-11-25/basic/transports

Test Coverage Metadata

• Unit tests: true
• Fixture tests: true
• E2E tests: false

Examples

The following examples demonstrate what triggers this rule and how to fix it.

Invalid

{
  "mcpServers": {
    "remote": {
      "type": "http",
      "url": "http://api.example.com/mcp"
    }
  }
}

Valid

{
  "mcpServers": {
    "remote": {
      "type": "http",
      "url": "https://api.example.com/mcp"
    }
  }
}