Skip to main content
Glama
telmon95

VulneraMCP

by telmon95
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Hybrid

security.test_csp

Test Content Security Policy configurations to identify security vulnerabilities and misconfigurations in web applications.

Instructions

Test Content Security Policy configuration

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
urlYesTarget URL

Implementation Reference

  • src/tools/security.ts:370-428 (handler)
    Handler function that performs CSP testing by fetching the target URL, parsing CSP headers, checking for common misconfigurations like unsafe-inline or unsafe-eval, logging findings if issues detected, and returning results.
    async ({ url }: any): Promise<ToolResult> => {
  try {
    const response = await axios.get(url, {
      validateStatus: () => true,
      timeout: 15000,
    });

    const cspHeader = response.headers['content-security-policy'] ||
      response.headers['x-content-security-policy'];

    const issues: string[] = [];
    let severity: 'low' | 'medium' | 'high' = 'low';

    if (!cspHeader) {
      issues.push('No CSP header found');
      severity = 'medium';
    } else {
      if (!cspHeader.includes("'unsafe-inline'") && cspHeader.includes('script-src')) {
        // Good - no unsafe-inline
      } else if (cspHeader.includes("'unsafe-inline'")) {
        issues.push("CSP allows 'unsafe-inline' in script-src");
        severity = 'high';
      }

      if (!cspHeader.includes("'unsafe-eval'") && cspHeader.includes('script-src')) {
        // Good
      } else if (cspHeader.includes("'unsafe-eval'")) {
        issues.push("CSP allows 'unsafe-eval'");
        severity = 'medium';
      }

      if (!cspHeader.includes('default-src')) {
        issues.push('No default-src directive');
        severity = 'medium';
      }
    }

    if (issues.length > 0 && severity !== 'low') {
      await saveFinding({
        target: url,
        type: 'CSP Misconfiguration',
        severity,
        description: `CSP issues: ${issues.join(', ')}`,
        response: cspHeader || 'No CSP header',
        timestamp: new Date(),
        score: severity === 'high' ? 6 : 4,
      });
    }

    return formatToolResult(true, {
      cspHeader: cspHeader || null,
      issues,
      severity,
      secure: issues.length === 0,
    });
  } catch (error: any) {
    return formatToolResult(false, null, error.message);
  }
}
  • src/tools/security.ts:360-369 (schema)
    Schema definition for the tool input, requiring a 'url' parameter.
    {
  description: 'Test Content Security Policy configuration',
  inputSchema: {
    type: 'object',
    properties: {
      url: { type: 'string', description: 'Target URL' },
    },
    required: ['url'],
  },
},
  • src/tools/security.ts:357-429 (registration)
    Registration of the 'security.test_csp' tool on the MCP server, including name, schema, and handler function.
    // CSP Testing
server.tool(
  'security.test_csp',
  {
    description: 'Test Content Security Policy configuration',
    inputSchema: {
      type: 'object',
      properties: {
        url: { type: 'string', description: 'Target URL' },
      },
      required: ['url'],
    },
  },
  async ({ url }: any): Promise<ToolResult> => {
    try {
      const response = await axios.get(url, {
        validateStatus: () => true,
        timeout: 15000,
      });

      const cspHeader = response.headers['content-security-policy'] ||
        response.headers['x-content-security-policy'];

      const issues: string[] = [];
      let severity: 'low' | 'medium' | 'high' = 'low';

      if (!cspHeader) {
        issues.push('No CSP header found');
        severity = 'medium';
      } else {
        if (!cspHeader.includes("'unsafe-inline'") && cspHeader.includes('script-src')) {
          // Good - no unsafe-inline
        } else if (cspHeader.includes("'unsafe-inline'")) {
          issues.push("CSP allows 'unsafe-inline' in script-src");
          severity = 'high';
        }

        if (!cspHeader.includes("'unsafe-eval'") && cspHeader.includes('script-src')) {
          // Good
        } else if (cspHeader.includes("'unsafe-eval'")) {
          issues.push("CSP allows 'unsafe-eval'");
          severity = 'medium';
        }

        if (!cspHeader.includes('default-src')) {
          issues.push('No default-src directive');
          severity = 'medium';
        }
      }

      if (issues.length > 0 && severity !== 'low') {
        await saveFinding({
          target: url,
          type: 'CSP Misconfiguration',
          severity,
          description: `CSP issues: ${issues.join(', ')}`,
          response: cspHeader || 'No CSP header',
          timestamp: new Date(),
          score: severity === 'high' ? 6 : 4,
        });
      }

      return formatToolResult(true, {
        cspHeader: cspHeader || null,
        issues,
        severity,
        secure: issues.length === 0,
      });
    } catch (error: any) {
      return formatToolResult(false, null, error.message);
    }
  }
);
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/telmon95/VulneraMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server