Why Default-Deny Egress Matters for MCP Server Hosting

An MCP server with unrestricted outbound network access can exfiltrate anything it touches. Default-deny egress — blocking all outbound traffic except a declared allowlist — is the network layer of MCP security.