Lock Down MCP Servers with --strict-mcp-config
By default, Claude Code loads MCP servers from multiple sources: your user settings, project settings, local settings, and any --mcp-config files you pass on the command line. In automation or security-sensitive environments, that's too many moving parts.
The --strict-mcp-config flag tells Claude to only use MCP servers from the config file you specify, ignoring all other sources:
claude --strict-mcp-config --mcp-config ./approved-servers.json
Your approved-servers.json might look like this:
{
"mcpServers": {
"postgres": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-postgres", "postgresql://localhost/mydb"]
}
}
}
With --strict-mcp-config, only the PostgreSQL server from that file will be available. Any MCP servers configured in ~/.claude/settings.json or .claude/settings.json are silently ignored.
This is essential for CI/CD pipelines and shared environments where you need reproducible, predictable tool access:
# CI pipeline with exactly the servers needed for this job
claude --strict-mcp-config \
--mcp-config ./ci-mcp-servers.json \
-p "Run the database migration checks"
It also prevents a project's .claude/settings.json from adding unexpected MCP servers that could access resources you don't want Claude touching in an automated run.
In automation, predictability beats flexibility. Lock down your MCP servers.
Log in to leave a comment.
MCP servers aren't just for third-party integrations — you can build your own to give Claude direct access to your internal tools, databases, APIs, and workflows. A custom MCP server turns any system your team uses into a tool Claude can call natively from your session.
MCP servers can be scoped at three levels — user (available everywhere you work), project (shared with the team via version control), or enterprise (managed by your organization). Pick the right scope so each project gets exactly the tools it needs without cluttering unrelated ones.
Instead of manually editing settings JSON to add MCP servers, use the claude mcp command — add servers with one line, list what's configured, remove ones you don't need, and scope them to the right level, all from the terminal.