modelman is a secure local development tool for testing MCP servers. This document outlines the security measures we've implemented to keep your testing environment safe.
modelman includes several layers of security protection designed specifically for local development:
- Backend binds exclusively to
localhost:8008 - Cannot be accessed from external networks
- Protected against remote attack vectors including CVE-2025-49596
- Automatic session token authentication
- Transparent to users - no manual setup required
- Protects against unauthorized localhost access
- Strict origin validation
- Only accepts requests from modelman's own frontend
- Prevents cross-site request attacks
Sensible rate limits prevent accidental overload:
- 30 requests per minute per server
- Automatically resets every 60 seconds
- More than enough for normal testing workflows
All activity is logged to ~/.modelman/audit.log for transparency:
- Server connections
- Tool executions
- Authentication events
View your audit log: tail -f ~/.modelman/audit.log
modelman is designed to be secure by default. Just follow these simple guidelines:
β Good to know:
- modelman only binds to localhost - it can't be accessed externally
- All requests are authenticated automatically
- Activity is logged for transparency
- Rate limiting prevents accidental overload
π‘ Optional best practices:
- Review audit logs if you're curious:
tail -f ~/.modelman/audit.log - Keep modelman updated for the latest improvements
Want to see what modelman is doing under the hood?
# View audit log
tail -f ~/.modelman/audit.log
# Check backend health
curl http://localhost:8008/health
# Review OAuth tokens
sqlite3 ~/.modelman/modelman-mcp.db "SELECT server_id FROM oauth_tokens;"modelman uses a secure client-server architecture:
Browser (port 8009) β Backend (localhost:8008) β MCP Servers
- Frontend and backend communicate over authenticated localhost connection
- Backend acts as secure proxy to external MCP servers
- All requests require valid session token
- Activity logged for transparency
Enhanced security features for safe local development:
- Session token authentication
- Rate limiting (30 req/min)
- Audit logging to
~/.modelman/audit.log - CORS validation
- Comprehensive security documentation
Security questions or found an issue?
- Open an issue: github.com/portkey-ai/modelman/issues
- Read the detailed assessment: SECURITY_ASSESSMENT.md
Version: 0.3.0 | Updated: October 24, 2025