web-exposure-mcp
This server probes a live deployed URL to confirm whether sensitive files are genuinely publicly accessible, by fetching and validating actual bytes — not just checking HTTP status codes.
scan_web_exposure — Actively scans a live URL for exposed sensitive files, returning only confirmed findings with evidence:
Exposed
.gitdirectories (validates config/HEAD content)Exposed
.envfiles (confirms realKEY=VALUEsecret lines, not HTML)JavaScript source maps (
.js.mapfiles with asources[]array)Backup/SQL dumps and archives (SQL-dump fingerprints or ZIP/gzip magic bytes)
Directory listings (detects
Index of /…autoindex signatures)Sensitive dotfiles (
.htpasswd,.npmrc,.netrc,.aws/credentials,.ssh/id_rsa,.DS_Store, Docker auth)Supports filtering to specific checks via the
onlyparameter and a configurabletimeout_ms
list_exposure_checks — Returns metadata for all available checks (IDs, severity levels, and paths probed), useful for constructing the only filter in scan_web_exposure.
Key characteristics:
Read-only: Never writes anything to the target
No false positives: Validates actual byte content, reads at most 64 KB per file
No API key required: Zero dependencies, runs directly via
npx
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@web-exposure-mcpscan https://staging.myapp.com for exposed secrets"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
web-exposure-mcp
An MCP server that lets an AI agent point at a live deployed URL and confirm whether sensitive files are actually being served to the public — exposed
.git,.envsecrets, JavaScript source maps, backup/SQL dumps, directory listing, and dotfiles — by fetching the bytes and validating the content. Other tools give you a checklist of maybes; this reports only what is genuinely reachable, with evidence.
⚡ Run it in one line, no install, no API key:
npx web-exposure-mcp # MCP server (stdio) for your AI client npx -p web-exposure-mcp web-exposure-scan --url https://your-site.com # one-shot CLI
🤝 Want it done for you? Fixed-scope external-exposure audit — $99 / 24h: I verify every finding live and send a written report with the exact fixes and which credentials to rotate.
$ npx -p web-exposure-mcp web-exposure-scan --url https://demo.example.com
2 critical, 2 high, 1 medium — 5 CONFIRMED via anonymous fetch (39 requests)
CRITICAL /.git/config valid .git served — full source history downloadable
CRITICAL /.env 5 env vars served — API_KEY, DATABASE_URL, JWT_SECRET…
HIGH /main.js.map valid source map — 142 original sources reconstructable
HIGH /backup.sql SQL dump content served
MEDIUM /uploads/ directory listing enabled (Index of /uploads)Why this exists
Publicly-served .git and .env files are routinely called one of the most
common high-impact findings in external attack-surface management — Acunetix,
Invicti and Legba all ship dedicated detections, and live HackerOne reports for
exposed .git/.env are filed continuously. June 2026 saw record
leaked-credential dumps, a large share sourced from live, misconfigured
servers rather than breached databases.
The MCP ecosystem already covers SSL, CORS, security-headers, SEO audits, and code/commit secret scanning (GitHub MCP, GitGuardian) — but no MCP server probes a deployed URL for publicly-served secret files. This fills that gap: your agent can audit the live edge of any deployment, the way an attacker actually sees it.
The hard part isn't requesting /.env — it's avoiding false positives. Most
modern sites answer 200 OK with index.html for every unknown path (SPA
catch-all). web-exposure-mcp therefore reads the bytes and fingerprints the
content (e.g. .git/config must parse as a git config, .env must contain
KEY=VALUE secret lines, an archive must start with the real magic bytes) —
so it flags facts, not guesses.
Related MCP server: mcp-tfstate-reader
Tools (MCP)
Tool | What it does |
| Probe a live URL and return only the secret files genuinely served, with evidence. Args: |
| List every check id, severity and the paths it probes — feed ids into |
What it confirms
Check id | Severity | Confirmed by |
| critical |
|
| critical | dotenv served with ≥2 |
| high |
|
| high | SQL-dump fingerprints, or ZIP/gzip magic bytes in the body |
| medium | the autoindex signature ( |
| high |
|
Every check fires at most once and only when the served bytes prove it. Read-only: the scanner never writes anything to the target, follows no redirects into other hosts, and reads at most 64 KB per file (so it fingerprints a multi-GB backup without downloading it).
Add to your AI client
Claude Desktop / Cursor / any MCP client — add to your mcpServers config:
{
"mcpServers": {
"web-exposure": {
"command": "npx",
"args": ["-y", "web-exposure-mcp"]
}
}
}Then ask your agent: “Scan https://staging.myapp.com for publicly exposed secret files.”
CLI usage
# Probe a live deployment
npx -p web-exposure-mcp web-exposure-scan --url https://your-site.com
# Run only specific checks
npx -p web-exposure-mcp web-exposure-scan --url https://your-site.com --only git_exposed,env_exposed
# Tighter per-request timeout
npx -p web-exposure-mcp web-exposure-scan --url https://your-site.com --timeout 8000Output is JSON on stdout (pipe into CI) and a one-line summary on stderr.
Install (optional)
npm i -g web-exposure-mcp
web-exposure-mcp # start the MCP server (stdio)
web-exposure-scan --url https://site.com # one-shot scanZero dependencies, pure Node ≥18. Every request goes straight from the tool to the target you name — nothing leaves your machine.
Sister tools
Same active-probe philosophy — confirm the real issue by fetching it, not by trusting a checklist. All MIT:
supabase-security · strapi-security · pocketbase-security · firebase-security · appwrite-security · nhost-security
License
MIT © Renzo Madueno
📚 Part of Awesome Backend Security Auditors — the full collection of keyless active-probe auditors.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Perufitlife/web-exposure-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server