A secure MCP server for PostgreSQL and MySQL with header-based configuration.
npm install
npm run devServer runs on http://localhost:3000
All configuration is via HTTP headers on MCP initialization:
x-cfg-db-type: pg or mysql
x-cfg-db-host: localhost
x-cfg-db-port: 5432 or 3306
x-cfg-db-user: your_username
x-cfg-db-password: your_password
x-cfg-db-names: database1,database2
x-cfg-db-schemas: public,other (PostgreSQL only, default: public)
x-cfg-db-ssl: true or false (default: false)
x-cfg-db-readonly: true or false (default: false)
x-cfg-db-pool: 1-20 (default: 1)
x-cfg-allow-raw-query: true or false (DANGEROUS - default: false)
x-cfg-session-timeout: milliseconds (default: 300000 = 5min)
x-cfg-tools-allowlist: tool1,tool2 (optional)
Create .cursor/mcp.json or .vscode/mcp.json:
{
"servers": {
"database": {
"url": "http://localhost:3000/mcp",
"type": "http",
"headers": {
"x-cfg-db-type": "mysql",
"x-cfg-db-host": "localhost",
"x-cfg-db-port": "3306",
"x-cfg-db-user": "root",
"x-cfg-db-password": "password",
"x-cfg-db-names": "mydb,testdb",
"x-cfg-db-readonly": "false",
"x-cfg-db-pool": "5"
}
}
}
}query_select - Execute SELECT queries
{
"database": "mydb",
"table": "users",
"columns": ["id", "name", "email"],
"where": [
{"column": "status", "op": "=", "value": "active"}
],
"limit": 10
}query_insert - Insert single row
{
"database": "mydb",
"table": "users",
"data": {"name": "John", "email": "john@example.com"}
}query_update - Update single row (WHERE required)
{
"database": "mydb",
"table": "users",
"data": {"status": "inactive"},
"where": [{"column": "id", "op": "=", "value": 123}]
}query_delete - Delete single row (WHERE required)
{
"database": "mydb",
"table": "users",
"where": [{"column": "id", "op": "=", "value": 123}]
}query_raw
{
"database": "mydb",
"query": "SELECT * FROM users WHERE status = ? AND age > ?",
"params": ["active", 18]
}WARNING: This tool bypasses all query validation and safeguards. Only enable it via
x-cfg-allow-raw-query: truein trusted environments. Never expose to untrusted users.
get_databases - List allowed databases
get_tables - List tables in database
{
"database": "mydb",
"schema": "public"
}get_table_schema - Show table structure with foreign keys
{
"database": "mydb",
"table": "users"
}get_sequences - List sequences (PG) or AUTO_INCREMENT (MySQL)
get_custom_types - List custom types (PostgreSQL only)
get_functions - List functions and procedures
get_function_source - View function/procedure code
{
"database": "mydb",
"name": "calculate_total"
}execute_function - Execute function or procedure
{
"database": "mydb",
"name": "my_function",
"params": [100, "value"]
}=, !=, <, <=, >, >=, in, not in, like, ilike, between, is, is not
- ✅ No raw SQL by default (uses Knex query builder)
- ✅ Raw SQL queries blocked unless explicitly enabled
- ✅ Required WHERE for UPDATE/DELETE
- ✅ Single row mutations only
- ✅ Database/schema allowlists
- ✅ Read-only mode available
- ✅ Per-session connection pools
- ✅ Automatic timeout cleanup
⚠️ Optional raw query tool (disabled by default for security)
curl http://localhost:3000/healthnpm start # Run with ts-node
npm run dev # Development with nodemon
npm run build # Build to dist/
npm run serve # Run built versionISC