scan_security_headers

Audit website security headers to identify vulnerabilities in HSTS, CSP, X-Frame-Options, and other HTTP protections before recommending improvements.

Instructions

Scan a public URL and return its HTTP security header status. Checks: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HTTPS enforcement, redirect chain, security.txt, robots.txt, sitemap.xml. Costs 0.05 USDC per call (paid automatically from the configured wallet). Use this to audit a website's security hygiene before recommending improvements.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`url`	Yes	The public URL to scan (e.g. https://example.com)

Implementation Reference

src/index.ts:111-157 (handler)

The logic for `scan_security_headers` tool execution. It validates inputs, performs a payment-enabled fetch (using `fetch402`), and returns the scan result.

if (name === "scan_security_headers") {
  const parsed = ScanInputSchema.safeParse(args);
  if (!parsed.success) {
    throw new McpError(
      ErrorCode.InvalidParams,
      `Invalid input: ${parsed.error.errors.map((e) => e.message).join(", ")}`
    );
  }

  const { url } = parsed.data;

  let res: Response;
  try {
    res = await fetch402(`${BASE_URL}/v1/snapshot`, {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({ url }),
    });
  } catch (err) {
    throw new McpError(
      ErrorCode.InternalError,
      `Request failed: ${err instanceof Error ? err.message : String(err)}`
    );
  }

  if (res.status === 400) {
    const errBody = await res.json();
    return {
      content: [
        {
          type: "text",
          text: `Error scanning ${url}: ${errBody.error} (${errBody.error_type})`,
        },
      ],
      isError: true,
    };
  }

  if (!res.ok) {
    throw new McpError(ErrorCode.InternalError, `API returned unexpected status ${res.status}`);
  }

  const data = await res.json();
  return {
    content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
  };
}

src/index.ts:50-52 (schema)
The Zod validation schema `ScanInputSchema` for the `scan_security_headers` tool input.
```
const ScanInputSchema = z.object({
  url: z.string().url("Must be a valid URL (e.g. https://example.com)"),
});
```

src/index.ts:63-81 (registration)

Definition and registration of the `scan_security_headers` tool in the `ListToolsRequestSchema` handler.

{
  name: "scan_security_headers",
  description:
    "Scan a public URL and return its HTTP security header status. " +
    "Checks: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, " +
    "Permissions-Policy, HTTPS enforcement, redirect chain, security.txt, robots.txt, sitemap.xml. " +
    "Costs 0.05 USDC per call (paid automatically from the configured wallet). " +
    "Use this to audit a website's security hygiene before recommending improvements.",
  inputSchema: {
    type: "object",
    properties: {
      url: {
        type: "string",
        description: "The public URL to scan (e.g. https://example.com)",
      },
    },
    required: ["url"],
  },
},

mcp-server-security-snapshot