Skip to content
Qwady Docs

Security Features

ThornGuard is built on a Zero-Trust architecture. It assumes both the AI Client (the sender) and the Upstream Tool (the receiver) are potentially hostile environments.

Ingress Protection (Command Filtering)

Section titled “Ingress Protection (Command Filtering)”

When an AI Assistant decides to use a tool, it formats its request as a JSON-RPC 2.0 payload sent via HTTP POST.

ThornGuard intercepts this POST request and performs strict validation:

  1. Schema Validation: Uses Zod to ensure the payload is perfectly formatted JSON-RPC. Malformed requests are dropped immediately.
  2. Signature Scanning: The payload is stringified and scanned against a denylist of malicious command signatures.

Blocked Signatures

Section titled “Blocked Signatures”

Currently, ThornGuard automatically drops any payload containing the following patterns:

  • rm -rf (Recursive forced deletion)
  • sudo (Privilege escalation)
  • nc -e (Netcat reverse shell)
  • /etc/passwd (System credential access)
  • eval( (Code execution evaluation)
  • chmod 777 (Unrestricted file permissions)

Egress DLP (Data Loss Prevention)

Section titled “Egress DLP (Data Loss Prevention)”

If an AI tool successfully executes, the upstream server returns data. Often, this data contains PII (Personally Identifiable Information) or system credentials that should never be fed into a third-party LLM’s context window.

The SSE Streaming Challenge

Section titled “The SSE Streaming Challenge”

Modern MCP servers use Server-Sent Events (SSE) to stream data back to the client. This means data arrives in fragmented, unpredictable network chunks. Standard regex fails on streams because a secret (like an SSN) might be split in half across two network packets (e.g., 000-00- and 0000).

Buffered Chunk Redaction

Section titled “Buffered Chunk Redaction”

ThornGuard implements an advanced TransformStream buffer:

  1. It holds incoming network packets in memory until it detects a complete SSE event boundary (\n\n).
  2. It parses the complete chunk as JSON to avoid boundary escaping bugs.
  3. It runs negative-lookaround Regular Expressions to identify and redact sensitive patterns.
  4. It streams the safe, scrubbed chunk to the AI Client.

Supported Redactions

Section titled “Supported Redactions”

ThornGuard actively scrubs the following data patterns out of server responses:

  • Emails: Replaced with [THORNGUARD REDACTED EMAIL]
  • Social Security Numbers: Replaced with [THORNGUARD REDACTED SSN]
  • Credit Cards (16-digit): Replaced with [THORNGUARD REDACTED CC]
  • AWS Access Keys (AKIA, ASIA): Replaced with [THORNGUARD REDACTED AWS KEY]

SSRF Prevention

Section titled “SSRF Prevention”

Server-Side Request Forgery (SSRF) occurs when an attacker tricks a proxy into scanning or accessing internal networks.

Because Claude Desktop allows users to specify the x-mcp-target-url, a malicious user could attempt to point ThornGuard at internal Cloudflare infrastructure or AWS metadata endpoints.

ThornGuard strictly drops requests targeting:

  • localhost, 127.0.0.1, 0.0.0.0, [::1]
  • AWS/GCP Metadata IPs (169.254.169.254, 169.254.170.2)
  • Tailscale / VPN IPs (100.100.100.200)
  • Any domain ending in .internal