mcp-server-security-snapshot

MCP server that exposes Website Security Snapshot API as a tool for Claude and other AI agents.

Scan any public URL's HTTP security headers directly from your AI assistant — payment settled automatically on-chain via x402 (0.05 USDC on Base).

Network status: Currently on Base Sepolia testnet. Mainnet (Base) goes live 2026-03-28. Use "NETWORK": "base-sepolia" for testing before that date; switch to "NETWORK": "base" on 2026-03-28.

Tools Provided

scan_security_headers

Checks:

• HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy

• HTTPS enforcement and redirect chain

• Presence of security.txt, robots.txt, sitemap.xml

Setup

Requirements

• A wallet with USDC on Base (mainnet) or Base Sepolia (testnet)

• Get testnet USDC free: https://faucet.circle.com

Claude Desktop

Add to claude_desktop_config.json (usually ~/Library/Application Support/Claude/ on macOS, %APPDATA%\Claude\ on Windows):

{
  "mcpServers": {
    "security-snapshot": {
      "command": "npx",
      "args": ["-y", "mcp-server-security-snapshot"],
      "env": {
        "WALLET_PRIVATE_KEY": "0xYOUR_PRIVATE_KEY",
        "NETWORK": "base"
      }
    }
  }
}

For testnet (free USDC from faucet):

{
  "env": {
    "WALLET_PRIVATE_KEY": "0xYOUR_TESTNET_KEY",
    "NETWORK": "base-sepolia"
  }
}

Run Directly

WALLET_PRIVATE_KEY=0x... NETWORK=base npx mcp-server-security-snapshot

Environment Variables

Example Usage in Claude

Once configured, ask Claude:

"Check the security headers on https://example.com"

"Does https://mysite.com have HSTS and CSP enabled?"

"Audit the security hygiene of https://example.com and tell me what's missing"

Claude will call scan_security_headers, pay 0.05 USDC from your wallet, and return the results.

Security Note

Your WALLET_PRIVATE_KEY is used to sign USDC transactions. Use a dedicated wallet with only enough USDC for your intended usage. Do not use your main wallet.

Links

• API docs

• OpenAPI spec

• x402 protocol

License

MIT