Lighthouse MCP

Instructions

Implementation Reference

• src/tools/security.ts:30-104 (handler)

  The tool handler that destructures input parameters, invokes the getSecurityAudit helper, maps audit results to a structured format with status, computes counts, adds recommendations, and returns formatted JSON response or error.
  async ({ url, device, checks }) => { try { const result = await getSecurityAudit(url, device, checks); const audits = result.audits.map((audit) => { const auditItem = audit as { id: string; title: string; description?: string; score: number | null; scoreDisplayMode?: string; displayValue?: string; }; return { id: auditItem.id, title: auditItem.title, description: auditItem.description || "N/A", score: auditItem.score !== null ? Math.round((auditItem.score || 0) * 100) : null, displayValue: auditItem.displayValue || "N/A", status: auditItem.score === 1 ? "pass" : auditItem.score === 0 ? "fail" : "warning", }; }); const structuredResult = createStructuredSecurity( "Security Audit", result.url, result.device, { overallScore: result.overallScore, audits, auditCount: audits.length, passedAudits: audits.filter((a) => a.status === "pass").length, failedAudits: audits.filter((a) => a.status === "fail").length, fetchTime: result.fetchTime, }, [ "Ensure all resources are served over HTTPS", "Implement Content Security Policy (CSP) headers to prevent XSS attacks", "Keep all dependencies and libraries up to date", "Use rel=noopener for external links to prevent window.opener attacks", "Enable HTTP Strict Transport Security (HSTS) headers", ], ); return { content: [ { type: "text" as const, text: JSON.stringify(structuredResult, null, 2), }, ], }; } catch (error: unknown) { const errorMessage = error instanceof Error ? error.message : String(error); return { content: [ { type: "text" as const, text: JSON.stringify( { error: "Security audit failed", url, device: device || "desktop", message: errorMessage, }, null, 2, ), }, ], isError: true, }; } },
• src/schemas.ts:110-117 (schema)

  Input schema definition for the get_security_audit tool, validating URL (HTTP/HTTPS only), device (desktop/mobile), and optional security checks array.
  export const securityAuditSchema = { url: baseSchemas.url, device: baseSchemas.device, checks: z .array(z.enum(["https", "mixed-content", "csp", "hsts", "vulnerabilities"])) .optional() .describe("Specific security checks to perform"), };
• src/tools/security.ts:25-106 (registration)

  Function that registers the get_security_audit tool on the MCP server with name, description, schema, and handler. Called from src/index.ts.
  export function registerSecurityTools(server: McpServer) { server.tool( "get_security_audit", "Perform security audit checking HTTPS, CSP, and other security measures", securityAuditSchema, async ({ url, device, checks }) => { try { const result = await getSecurityAudit(url, device, checks); const audits = result.audits.map((audit) => { const auditItem = audit as { id: string; title: string; description?: string; score: number | null; scoreDisplayMode?: string; displayValue?: string; }; return { id: auditItem.id, title: auditItem.title, description: auditItem.description || "N/A", score: auditItem.score !== null ? Math.round((auditItem.score || 0) * 100) : null, displayValue: auditItem.displayValue || "N/A", status: auditItem.score === 1 ? "pass" : auditItem.score === 0 ? "fail" : "warning", }; }); const structuredResult = createStructuredSecurity( "Security Audit", result.url, result.device, { overallScore: result.overallScore, audits, auditCount: audits.length, passedAudits: audits.filter((a) => a.status === "pass").length, failedAudits: audits.filter((a) => a.status === "fail").length, fetchTime: result.fetchTime, }, [ "Ensure all resources are served over HTTPS", "Implement Content Security Policy (CSP) headers to prevent XSS attacks", "Keep all dependencies and libraries up to date", "Use rel=noopener for external links to prevent window.opener attacks", "Enable HTTP Strict Transport Security (HSTS) headers", ], ); return { content: [ { type: "text" as const, text: JSON.stringify(structuredResult, null, 2), }, ], }; } catch (error: unknown) { const errorMessage = error instanceof Error ? error.message : String(error); return { content: [ { type: "text" as const, text: JSON.stringify( { error: "Security audit failed", url, device: device || "desktop", message: errorMessage, }, null, 2, ), }, ], isError: true, }; } }, ); }
• src/lighthouse-analysis.ts:132-162 (helper)

  Helper function implementing the core security audit logic using Lighthouse 'best-practices' category, filtering by checks, computing overall score from SECURITY_AUDITS.
  export async function getSecurityAudit(url: string, device: "desktop" | "mobile" = "desktop", checks?: string[]) { const runnerResult = await runRawLighthouseAudit(url, ["best-practices"], device); const { lhr } = runnerResult; const auditResults = SECURITY_AUDITS.map((auditId) => { const audit = lhr.audits[auditId]; if (audit && (!checks || checks.some((check) => auditId.includes(check)))) { return { id: auditId, title: audit.title, description: audit.description, score: audit.score, scoreDisplayMode: audit.scoreDisplayMode, displayValue: audit.displayValue, }; } return null; }).filter(Boolean); const overallScore = auditResults.reduce((sum, audit: { score: number | null } | null) => sum + (audit?.score || 0), 0) / auditResults.length; return { url: lhr.finalDisplayedUrl, device, overallScore: Math.round(overallScore * 100), audits: auditResults, fetchTime: lhr.fetchTime, }; }
• src/index.ts:28-28 (registration)

  Invocation of registerSecurityTools during server initialization, completing the tool registration.
  registerSecurityTools(server);