Skip to content

Add mandatory API key authentication and TLS encryption#44

Open
Wh0am123 wants to merge 3 commits intomainfrom
feat/api-authentication
Open

Add mandatory API key authentication and TLS encryption#44
Wh0am123 wants to merge 3 commits intomainfrom
feat/api-authentication

Conversation

@Wh0am123
Copy link
Copy Markdown
Owner

@Wh0am123 Wh0am123 commented Mar 17, 2026

Summary

Two new security features that make MCP-Kali-Server secure by default:

1. Mandatory API Key Authentication

  • All /api/ endpoints require a valid X-API-Key header
  • Health check (/health) remains open for monitoring
  • hmac.compare_digest() for constant-time comparison (prevents timing attacks)
  • API key priority: --api-key flag > MKS_API_KEY env var > auto-generate
  • Returns 401 (missing key) or 403 (invalid key)

2. TLS Encryption by Default

  • HTTPS on by default with auto-generated self-signed RSA 4096 certificates
  • Certs generated on first run via openssl, stored in ~/.mcp-kali-server/certs/
  • Private key permissions restricted to 0600
  • --insecure-http to disable TLS (displays loud warning, intended for local-only use)
  • --cert / --key flags for custom certificates
  • Client uses --skip-verify for self-signed cert support

Files Changed

File Changes
server.py API key decorator, TLS cert generation, --insecure-http/--cert/--key flags
client.py --api-key, --skip-verify flags, X-API-Key header, default URL → https://
README.md Full docs for both features, all URLs updated to https://
mcp-kali-server.json Added --api-key, --skip-verify, URL → https://
.gitignore Added .env, *.pem, *.crt, *.key

Test plan

API Key:

  • Start server with no args — auto-generates and prints API key
  • Start server with --api-key mykey — uses provided key
  • Request without X-API-Key header → 401
  • Request with wrong key → 403
  • Request with correct key → tool executes
  • /health works without any key

TLS:

  • First run generates cert at ~/.mcp-kali-server/certs/
  • Second run reuses existing cert
  • Client with --skip-verify connects to self-signed server
  • Client without --skip-verify fails on self-signed cert (expected)
  • --insecure-http disables TLS, shows warning
  • --cert/--key with custom cert works

🤖 Generated with Claude Code

Wh0am123 and others added 3 commits March 17, 2026 16:48
@Wh0am123 @claude
Add API key authentication support
825aeca 
Server:
- Add require_api_key decorator protecting all /api/ endpoints
- Health check (/health) remains unauthenticated (standard practice)
- API key set via --api-key flag, --generate-api-key, or MKS_API_KEY env var
- Uses hmac.compare_digest for constant-time comparison (prevents timing attacks)
- Gracefully degrades: no key configured = auth disabled (backward compatible)
- Returns 401 for missing key, 403 for invalid key

Client:
- Add --api-key flag and MKS_API_KEY env var support
- Sends X-API-Key header on all requests when configured

Config/Docs:
- Updated mcp-kali-server.json with --api-key placeholder
- Updated README with auth docs, examples, and all command snippets
- Added .env to .gitignore to prevent accidental key commits

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Wh0am123 @claude
Make API key authentication mandatory
f00766b 
- Server always requires an API key: provided via --api-key, MKS_API_KEY
  env var, or auto-generated at startup if neither is set
- Remove --generate-api-key flag (auto-generation is now the default)
- Remove skip-auth path from require_api_key decorator
- Update README to reflect mandatory auth and remove optional language

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Wh0am123 @claude
Add default TLS encryption with auto-generated self-signed RSA 4096 c…
7416dd8 
…erts

Server:
- HTTPS by default using self-signed RSA 4096 certificates
- Certs auto-generated on first run, stored in ~/.mcp-kali-server/certs/
- --insecure-http flag to disable TLS (warns loudly, local-only use)
- --cert/--key flags for custom certificates
- Key file permissions restricted to 0600

Client:
- Default server URL changed to https://localhost:5000
- --skip-verify flag for self-signed certificate support
- Suppresses urllib3 InsecureRequestWarning when --skip-verify is used
- verify parameter passed to all requests calls

Config/Docs:
- All URLs updated to https:// throughout README and config
- Documented --insecure-http, --skip-verify, --cert, --key flags
- Added *.pem, *.crt, *.key to .gitignore

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Wh0am123