Security

Security Overview

The Bugzilla MCP Server requires Bugzilla API access to function. Following security best practices is essential to protect your Bugzilla instance and data.

API Key Security

Create Dedicated API Keys

1. Create a dedicated Bugzilla user account for MCP access
2. Generate a dedicated API key with minimal required permissions
3. Use separate API keys for different environments (development, production)

API Key Permissions

Restrict API key permissions to only necessary operations:

• Read-only operations: If you only need to query bugs, use read-only permissions
• Comment permissions: Only enable comment permissions if you need to add comments
• Avoid administrative permissions: Never grant administrative or full-access permissions

API Key Storage

Best Practices:

• Store API keys in secure configuration files (not in code)
• Use environment variables when possible
• Never share API keys in public repositories
• Rotate API keys regularly
• Revoke compromised keys immediately

Configuration Security

Secure Configuration Files

Claude Desktop:

• File location: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS)
• Ensure proper file permissions (readable only by your user)

Cursor IDE:

• File location: .cursor/mcp.json
• Add to .gitignore if in a repository
• Use environment variables for sensitive values when possible

Visual Studio Code:

• Store mcp.json securely
• Don't commit to version control

Environment Variables

For local development, consider using environment variables:

export BUGZILLA_API_KEY="your-api-key"
export BUGZILLA_URL="https://bugzilla.example.com"

Network Security

Use HTTPS

• Production: Always use https:// URLs
• Development: Use https:// when possible, even for local instances
• Never use HTTP for production Bugzilla instances

Hosted Server

The hosted production server at https://bugzilla.fastmcp.app/mcp:

• Uses HTTPS for secure connections
• Does not store or log your API keys
• Transmits credentials only in HTTP headers (not in URLs)

Security Best Practices Checklist

• Created a dedicated Bugzilla user account for MCP access
• Generated API key with minimal required permissions
• Using HTTPS for Bugzilla URL
• API key stored securely (not in code or version control)
• Configuration files have proper permissions
• Regular security reviews of API key usage
• API keys rotated periodically
• Monitoring for unauthorized access
• Using read-only permissions when possible
• Separate API keys for different environments

Principle of Least Privilege

What this means:

• Grant only the minimum permissions necessary
• Use read-only access when write access isn't needed
• Separate accounts for different use cases
• Regular review of permissions

Security Considerations

Rate Limiting

Consider implementing rate limiting for production use:

• Prevents abuse of the Bugzilla API
• Protects your Bugzilla instance from overload
• May be handled by your Bugzilla instance configuration

Error Handling

The server includes comprehensive error handling:

• Doesn't expose sensitive information in error messages
• Provides clear error messages without revealing internals
• Handles authentication failures gracefully

Audit Logging

Monitor API key usage:

• Review Bugzilla access logs regularly
• Check for unusual activity
• Revoke unused or suspicious API keys

Incident Response

If you suspect a security issue:

1. Immediately revoke the compromised API key
2. Generate a new API key with appropriate permissions
3. Update your configuration with the new key
4. Review access logs for unauthorized activity
5. Report security issues to your Bugzilla administrator

Additional Resources

• Bugzilla Security Documentation
• API Key Management
• Bugzilla Best Practices

Next Steps

• Review configuration options
• Learn about usage examples