All posts
June 18, 20263 min read

MCP gateways: what they mean for your prompt-injection risk (on Postgres)

An offboarded contractor’s CI pipeline still pushes queries to your Postgres instance through an MCP gateway, exposing prompt-injection risk. The pipeline reuses a service‑account token that was never rotated, and the queries contain dynamically generated prompts that are fed to a large language model for code suggestions. Because the gateway simply forwards the traffic, a malicious prompt can cause the model to retrieve or modify data it should never see. The organization relies on the fact tha

Free White Paper

Prompt Injection Prevention + Risk-Based Access Control: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An offboarded contractor’s CI pipeline still pushes queries to your Postgres instance through an MCP gateway, exposing prompt-injection risk. The pipeline reuses a service‑account token that was never rotated, and the queries contain dynamically generated prompts that are fed to a large language model for code suggestions. Because the gateway simply forwards the traffic, a malicious prompt can cause the model to retrieve or modify data it should never see. The organization relies on the fact that the database itself enforces row‑level permissions, but the prompt-injection vector bypasses those checks, leaking sensitive columns in model responses. Without a control point that can inspect and filter the content flowing through the gateway, the risk remains invisible until an audit discovers unexpected data exfiltration.

Why prompt‑injection risk matters for MCP gateways

Prompt‑injection risk is the possibility that an adversary can influence the text sent to a language model in a way that causes the model to reveal or act on data it should not. In an MCP gateway scenario the model sits downstream of the gateway, so any prompt that reaches it originates from the client side of the connection. If the gateway does not examine the payload, an attacker who gains the ability to craft a query can embed malicious instructions that cause the model to output confidential schema, passwords, or business logic.

The missing enforcement layer

Most organizations rely on three pieces of setup: an identity provider that issues OIDC or SAML tokens, a service account that holds static credentials for the database, and network rules that allow the MCP gateway to reach Postgres. This setup decides who may start a session, but it does not enforce what the session can do once the traffic reaches the gateway. The request still travels directly to the database and then to the model without any intermediate inspection. Consequently, there is no audit of the exact prompts, no real‑time masking of sensitive fields, and no way to require a human to approve risky queries.

hoop.dev as the data‑path gateway

hoop.dev is a Layer 7 gateway that sits in the data path between the client and Postgres. By placing the enforcement point in the gateway, hoop.dev becomes the only component that can inspect, transform, and log the traffic before it reaches the database or the model. The gateway integrates with existing identity providers, so the setup stage still determines who may connect, but all policy decisions happen inside hoop.dev.

Continue reading? Get the full guide.

Prompt Injection Prevention + Risk-Based Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Key safeguards provided by hoop.dev

  • Inline prompt filtering. hoop.dev scans each query for patterns that indicate injection attempts and can block the request before it reaches the model.
  • Just‑in‑time approval. When a query matches a high‑risk rule, hoop.dev routes it to an approver for manual review, preventing accidental exposure.
  • Session recording. hoop.dev records the full request and response stream, giving auditors a replayable trail of every prompt that was sent to the language model.
  • Real‑time data masking. Sensitive columns identified in the response can be redacted on the fly, ensuring the model never sees raw values.
  • Identity‑aware policy. Because hoop.dev validates the OIDC token at the gateway, policies can be scoped to specific groups or roles, limiting which users may issue privileged prompts.

All of these outcomes exist only because hoop.dev sits in the data path. If the gateway were removed, the same token and network rules would still allow traffic, but none of the filtering, approval, or recording would occur.

Getting started

To protect your Postgres‑backed MCP gateway, follow the getting‑started guide to deploy hoop.dev alongside your existing agent. The documentation explains how to connect the gateway to Postgres, configure OIDC authentication, and define prompt‑filtering rules. For deeper insight into policy design and masking capabilities, see the learn section.

FAQ

Is hoop.dev required to use an existing OIDC provider?Yes. The setup stage still relies on your identity provider to issue tokens. hoop.dev validates those tokens at the gateway but does not replace the provider.Can hoop.dev block every malicious prompt automatically?hoop.dev can block known patterns and route unknown high‑risk queries for manual approval. Continuous rule tuning is recommended.Does hoop.dev store query logs permanently?hoop.dev records each session for replay. Retention policies are configurable in the deployment, allowing you to meet audit requirements.

Explore the source code and contribute improvements on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot