rt_check_http_security
Scans MCP server HTTP/SSE endpoints for missing security headers: HSTS, CORS policy, X-Content-Type-Options, Cache-Control, and insecure cookie flags.
Instructions
Check HTTP response security headers on HTTP/SSE MCP server. Tests: HSTS, CORS policy (Access-Control-Allow-Origin: *), X-Content-Type-Options, Cache-Control, cookie flags (Secure, HttpOnly, SameSite). Only applies to HTTP/SSE transport.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| env | No | Additional environment variables for stdio | |
| url | No | MCP server URL for HTTP/SSE transport (e.g. 'http://localhost:3000/mcp') | |
| args | No | Command arguments for stdio (e.g. ['run', 'server.js']) | |
| command | No | Server command for stdio transport (e.g. 'node', 'bun', 'npx') | |
| headers | No | Custom HTTP headers (e.g. { 'Authorization': 'Bearer token' }) | |
| timeout_ms | No | Connection timeout in milliseconds (default: 30000) |