Skip to main content
Glama

Check Headers

check_headers
Read-onlyIdempotent

Validate HTTP security headers (CSP, HSTS, X-Frame-Options) against best practices. Test header configuration before deployment or for non-public servers.

Instructions

Validate HTTP security headers you provide (JSON): CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, Referrer-Policy against best practices. Use to test header config before deployment or validate non-public servers; use scan_headers to fetch live. Free: 30/hr, Pro: 500/hr. By default header values are truncated to 500 chars; pass include='full' for the full raw value. Returns {total, by_severity, findings}. No external requests.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
headersYesJSON string of HTTP header name-value pairs to validate. Example: '{"Strict-Transport-Security": "max-age=31536000", "X-Frame-Options": "DENY"}'. Include only security-relevant headers you want to analyze.
includeNoDetail level. Default ('') returns slim findings — raw header values capped at 500 chars with total_value_length carrying the honest pre-truncation length. Pass 'full' to restore the full raw value. Allowed: '' or 'full'.

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The description adds behavioral context beyond annotations: it states 'No external requests' (confirming readOnlyHint and destructiveHint), explains default truncation to 500 chars with include='full' option, and describes the return structure {total, by_severity, findings}. No contradiction with annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise at 4 sentences, front-loading the core purpose, then guidelines, then details. Every sentence provides unique value with no redundancy or wasted words.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the presence of an output schema (not shown but mentioned in context) and the tool's simplicity, the description covers purpose, usage, alternatives, limits, truncation behavior, return structure, and safety. It feels complete for an agent to decide and use correctly.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Both parameters have schema descriptions covering their purpose, types, and constraints (100% coverage). The description adds a note to include only security-relevant headers and explains the include parameter slightly further, but the schema already does a good job. Baseline 3 is appropriate.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool validates HTTP security headers (CSP, HSTS, etc.) against best practices. It distinguishes from sibling tool scan_headers by specifying when to use each: use check_headers for offline testing, use scan_headers to fetch live headers.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly says when to use this tool (test config before deployment, validate non-public servers) and mentions the alternative scan_headers. It also provides rate limits (30/hr free, 500/hr pro). It could be more explicit about when not to use, but the information is clear.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/UPinar/contrastapi'

If you have feedback or need assistance with the MCP directory API, please join our Discord server