From 5e35b55e79170021dd9423b23c1377d156763bd0 Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <289744+glye@users.noreply.github.com>
Date: Wed, 11 Mar 2026 15:46:43 +0100
Subject: [PATCH] IBX-11291: Added MCP config advice

Ref https://github.com/ibexa/recipes-dev/pull/237
---
 .../security/security_checklist.md                  | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
index 63c5fdd4be..cfe7fd2c57 100644
--- a/docs/infrastructure_and_maintenance/security/security_checklist.md
+++ b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -151,6 +151,19 @@ This means that editors who have access to Code blocks could add malicious JS in
 As site administrator, be aware of this when giving editors access to the Page Builder features, and limit that access only to trusted editors.
 You can [limit access to specific blocks per content type]([[= user_doc =]]/content_management/configure_ct_field_settings/#default-configuration-of-pages) by defining which page blocks are available to editors.
 
+### Uncomment config for MCP
+
+Uncomment the `ibexa_jwt_mcp` rule in `security.yaml` if you are using Ibexa MCP:
+
+    ```yaml
+        #ibexa_jwt_mcp:
+        #    request_matcher: Ibexa\Mcp\Security\McpRequestMatcher
+        #    user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
+        #    provider: ibexa
+        #    stateless: true
+        #    jwt: ~
+    ```
+
 ## Symfony
 
 ### `APP_SECRET` and other secrets