security.test_csp

Instructions

Test Content Security Policy configuration

Input Schema

TableJSON Schema

Name	Required	Description	Default
`url`	Yes	Target URL

Implementation Reference

src/tools/security.ts:358-429 (registration)
Registers the security.test_csp tool using server.tool, including schema and handler.
server.tool( 'security.test_csp', { description: 'Test Content Security Policy configuration', inputSchema: { type: 'object', properties: { url: { type: 'string', description: 'Target URL' }, }, required: ['url'], }, }, async ({ url }: any): Promise<ToolResult> => { try { const response = await axios.get(url, { validateStatus: () => true, timeout: 15000, }); const cspHeader = response.headers['content-security-policy'] || response.headers['x-content-security-policy']; const issues: string[] = []; let severity: 'low' | 'medium' | 'high' = 'low'; if (!cspHeader) { issues.push('No CSP header found'); severity = 'medium'; } else { if (!cspHeader.includes("'unsafe-inline'") && cspHeader.includes('script-src')) { // Good - no unsafe-inline } else if (cspHeader.includes("'unsafe-inline'")) { issues.push("CSP allows 'unsafe-inline' in script-src"); severity = 'high'; } if (!cspHeader.includes("'unsafe-eval'") && cspHeader.includes('script-src')) { // Good } else if (cspHeader.includes("'unsafe-eval'")) { issues.push("CSP allows 'unsafe-eval'"); severity = 'medium'; } if (!cspHeader.includes('default-src')) { issues.push('No default-src directive'); severity = 'medium'; } } if (issues.length > 0 && severity !== 'low') { await saveFinding({ target: url, type: 'CSP Misconfiguration', severity, description: `CSP issues: ${issues.join(', ')}`, response: cspHeader || 'No CSP header', timestamp: new Date(), score: severity === 'high' ? 6 : 4, }); } return formatToolResult(true, { cspHeader: cspHeader || null, issues, severity, secure: issues.length === 0, }); } catch (error: any) { return formatToolResult(false, null, error.message); } } );
src/tools/security.ts:370-428 (handler)
The handler function that tests the CSP by fetching the URL, extracting CSP headers, checking for misconfigurations (missing CSP, unsafe-inline, unsafe-eval, no default-src), saves findings if issues found, and returns formatted results.
async ({ url }: any): Promise<ToolResult> => { try { const response = await axios.get(url, { validateStatus: () => true, timeout: 15000, }); const cspHeader = response.headers['content-security-policy'] || response.headers['x-content-security-policy']; const issues: string[] = []; let severity: 'low' | 'medium' | 'high' = 'low'; if (!cspHeader) { issues.push('No CSP header found'); severity = 'medium'; } else { if (!cspHeader.includes("'unsafe-inline'") && cspHeader.includes('script-src')) { // Good - no unsafe-inline } else if (cspHeader.includes("'unsafe-inline'")) { issues.push("CSP allows 'unsafe-inline' in script-src"); severity = 'high'; } if (!cspHeader.includes("'unsafe-eval'") && cspHeader.includes('script-src')) { // Good } else if (cspHeader.includes("'unsafe-eval'")) { issues.push("CSP allows 'unsafe-eval'"); severity = 'medium'; } if (!cspHeader.includes('default-src')) { issues.push('No default-src directive'); severity = 'medium'; } } if (issues.length > 0 && severity !== 'low') { await saveFinding({ target: url, type: 'CSP Misconfiguration', severity, description: `CSP issues: ${issues.join(', ')}`, response: cspHeader || 'No CSP header', timestamp: new Date(), score: severity === 'high' ? 6 : 4, }); } return formatToolResult(true, { cspHeader: cspHeader || null, issues, severity, secure: issues.length === 0, }); } catch (error: any) { return formatToolResult(false, null, error.message); } }
src/tools/security.ts:360-368 (schema)
Input schema for the tool, requiring a 'url' string parameter.
{ description: 'Test Content Security Policy configuration', inputSchema: { type: 'object', properties: { url: { type: 'string', description: 'Target URL' }, }, required: ['url'], },

VulneraMCP

Instructions

Input Schema

Implementation Reference

Other Tools

Latest Blog Posts

MCP directory API