zephex
CLIGet StartedPricingMCP ToolsCommunityGuidesDocs
←BackSign in
CLIGet StartedPricingMCP ToolsCommunityGuidesDocs
Get started freeSign in
DocsAPIToolsEditorsChangelogHelp

GET STARTED

WelcomeQuickstartSetup videoMCP Q&A (learn)BlogWhat is MCP?Who is Zephex for?Plans & PricingZ-GASAB benchmarkBenchmark chart (live)Changelog

INSTALLATION

Terminal tools (complete)Connect MCPVS Code Marketplace extensionCLI (no AI agent)CLI init (first run)CLI account & logoutNPX (Recommended)Test Pulse (check test)Test Pulse commandsProject MemorySupply Pulse (supply)Supply Pulse commandsTerminal CLI referenceWeb Terminal (dashboard)Command CompassCLI commandsCLI in DockerCLI: All editors (one command)CLI: Crush, Hermes, ChatGPT, KiloOAuth & HTTP setupInstall overviewHTTP APISetup WalkthroughHTTP vs stdio

API & KEYS

API Key ManagementKey Naming & FormatAuthenticationKey Dashboard

CONFIGURATION

Universal RequirementsSupported EditorsHow It WorksArchitectureCLAUDE.md TemplateAGENTS.md Template

EDITORS28 guides

Supported EditorsVS CodeVS Code extension (Marketplace)Claude CodeCursorWindsurfJetBrains

PLATFORM

macOSWindowsLinux

TOOLS10 tools

Capabilities OverviewTools OverviewTool FilteringTool Workflowsget_project_contextread_codefind_codecheck_packageexplain_architectureZephex_dev_infocheck_testaudit_headerskeep_thinkingproject_memory

GUIDES

Best PracticesToken EfficiencyUse CasesZephex vs Local MCPZephex vs Context7Zephex vs GitHub MCPZephex vs SmitheryMCP EcosystemMarkdown Access

SUPPORT

Help CenterMCP troubleshootingTeam rolloutFAQConnection IssuesRate LimitsDowntime & ErrorsBillingTier GuidePro & Max guideUsage LimitsUsage Analytics

LEGAL

SecurityData HandlingPrivacy PolicyTerms of Service

Quick Links

API Reference

Complete API documentation

Troubleshooting

Common issues and solutions

Community

Join our Discord community

Plugins

Editor and CLI integrations

Pricing

Free, Pro, and Max plans

Enter
Zephex_devzephex-devzephexzephexhello@zephex.dev
© 2026 Zephex. All systems operational.

audit_headers

Paste a URL — is it up, secure, and leaking secrets? One call, plain English answer.

Zephex Site Audit (MCP tool audit_headers) scans public URLs on Zephex servers via HTTP fetch—security grade, health verdict, tech stack, light secret scan, network timing—in ~1–3s quick mode. CLI: zephex check url. No Chrome on the user's machine.

When to use

  • Post-deploy: “are headers correct on production?”
  • Cert expiry, HSTS, CSP, or cookie flag questions on a public site.
  • Redirect chain audits (HTTP→HTTPS, www, loops, downgrades).
  • Staging vs production header comparison on two public URLs.

When not to use

  • Localhost or private IPs — blocked by SSRF protection on the hosted scan.
  • JavaScript console errors or real browser Core Web Vitals — HTTP fetch only, no JS execution.
  • Full repository secret scan — this tool scans the live page HTML/JS only.
  • Reading project source config — use read_code or find_code.

Parameters

ParameterTypeRequiredDescription
urlstringYesPublic https URL (max 2048 chars).
scan_modestringNoquick (~1-3s, default) or thorough (DNS+APIs, ~5-12s).
pathstringNoSubpath e.g. /checkout.
check_healthbooleanNoDefault true—verdict + trust score.
check_techbooleanNoDefault true—framework, hosting, CDN.
check_secretsbooleanNoDefault true—exposed keys, .env/.git.
check_networkbooleanNoDefault true—HTTP timing table.
check_redirectsbooleanNoDefault true—redirect chain.
check_sslbooleanNoDefault true—cert + protocol.
check_headersbooleanNoDefault true—security header grade.
check_cookiesbooleanNoDefault true—Set-Cookie flags.
focusstringNoall | security | health | performance.
security_depthstringNobasic (fast) or full (DNS SPF/DMARC).
timeout_msnumberNoDefault 8000, max 15000.

Limits: Public endpoints only; one snapshot per call; per-hostname cooldown ~5s. Cookie values are not returned (names/flags only). Does not replace DAST or full pentests.

Try it — copy a prompt

Paste into Cursor, Claude Code, Windsurf, VS Code, or any editor with a hosted MCP connection.

Before you call it

  • Zephex API key and hosted MCP.
  • A **public hostname** URL (https recommended). Ports 80 or 443 only; no user:pass@ in URL.
  • All check_* flags default true; disable one to speed up a partial audit.

Token and request cost

Most audits return about 250–700 tokens with grade, issues list, and key header statuses. Reproducing the same checks manually (curl, openssl, browser devtools) often costs far more context to paste and interpret.

Example

MCP tools/call

json
{  "jsonrpc": "2.0",  "id": 1,  "method": "tools/call",  "params": {    "name": "audit_headers",    "arguments": {      "url": "https://example.com",      "scan_mode": "quick",      "check_health": true,      "check_tech": true,      "check_secrets": true,      "check_network": true    }  }}

Response shape

Response shape

json
{  "product": "site_audit",  "duration_ms": 1240,  "plain_summary": "example.com is up (HTTP 200) in 412ms. Stack: Next.js.",  "summary": {    "security_grade": "B",    "security_score": 78,    "site_verdict": "ALIVE",    "trust_score": 82,    "load_ms": 412,    "secrets_critical": 0,    "critical_count": 0,    "warning_count": 3  },  "health": { "verdict": "ALIVE", "trust_score": 82, "load_ms": 412 },  "tech": { "framework": "Next.js", "hosting": "Vercel", "cdn": "Cloudflare" },  "secrets": { "total_found": 0, "critical_count": 0 },  "network": { "total_requests": 4, "slow_count": 0, "note": "HTTP fetch layer only" },  "issues": ["WARNING: CSP allows unsafe-inline"],  "final_url": "https://www.example.com/",  "ssl": { "valid": true, "protocol": "TLSv1.3" }}

Which Zephex tool when

TaskUse this toolNot this tool
Grade live deployed URLaudit_headersread_code
Find header in source configfind_codeaudit_headers
Map app architectureexplain_architectureaudit_headers
Package / CVE checkcheck_packageaudit_headers

What it can do in your codebase

  • Grade HSTS including preload eligibility signals
  • Analyze CSP quality (unsafe-inline, frame-ancestors, nonce/hash hints)
  • X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/CORP
  • TLS validity, protocol, days until expiry, issuer
  • Full redirect_chain per hop (detect loops and downgrades)
  • cookie_flags: Secure, HttpOnly, SameSite, __Host-/__Secure- prefix issues
  • cors_preflight OPTIONS check for wildcard + credentials mistakes
  • server_fingerprint and info_leakage (version leaks, risky headers)
  • infra: CDN/WAF detection, HTTP/2, compression hints
  • dns: SPF/DMARC/DKIM signals for the domain
  • fixes snippets per Nginx, Apache, Caddy, Express, Vercel, Next.js, Cloudflare, …

Common response fields

security_gradeissuesstrict_transport_securitycontent_security_policycookie_flagsredirect_chain

Why teams use it

Wire-level truth

Measures what the server returns on the network—including CDN and redirect behavior—not static config files alone.

SSRF-safe

DNS pinning to public IPs; blocks localhost, metadata hosts, and embedded credentials in URLs.

Actionable output

Prioritized issues list plus per-header fix snippets for common hosting stacks.

Not a code scanner

Does not read your repository. Pair with find_code when you need to edit the header source.

What it looks at vs skips

Looks at
  • Live HTTPS/HTTP response headers
  • TLS certificate handshake
  • Redirect hops (re-validated per hop)
  • Set-Cookie attributes on the response
  • OPTIONS preflight for CORS
  • DNS TXT for SPF/DMARC/DKIM
Does not
  • Private/internal URLs and raw IP hostnames
  • JavaScript execution or page body content
  • Local repo config files (unless you audit a deployed URL)
  • Authenticated-only pages the server cannot reach

Fields agents should read first

FieldMeaning
summary.security_gradeA+ through F—start here.
issuesPrioritized CRITICAL → WARNING → INFO strings.
final_urlURL after all redirects.
ssl.days_until_expiryCertificate runway; watch expiry_warning.
security_headers.csp_qualityCSP weakness signals (unsafe-inline, etc.).
cookie_flagsPer-cookie Secure/HttpOnly/SameSite audit.

How it fits your workflow

  1. Deploy or update edge config (Vercel, Cloudflare, Nginx, …).
  2. audit_headers on the public URL—read summary and issues first.
  3. Apply fix snippets for failing headers; re-audit to confirm grade.
  4. If the fix is in code, use find_code to locate config then edit in your repo.

Troubleshooting

  • Blocked private IP → URL must resolve to a public IPv4 address; no 127.0.0.1 or RFC1918.
  • Rate limit → wait ~5s per hostname before re-auditing the same site.
  • Grade differs from browser → CDN/edge may differ by region; audit is one wire snapshot.
  • Empty cookies → site may set cookies only on authenticated paths; try a URL that sets Set-Cookie.

How to verify it works

  1. Connect Zephex MCP; confirm audit_headers in tools/list.
  2. Audit https://zephex.dev (or your staging URL); confirm summary.security_grade and issues array.
  3. If grade < B, read security_headers entries with status fail/warn and attached fix snippets.

Common questions

Billing and plan limits: FAQ, usage limits.

Which MCP tool should I use to check security headers after deploy?

Use audit_headers with the production https URL. Read summary.security_grade and issues, then security_headers entries with status fail or warn. Re-run after applying fix snippets until the grade meets your bar (many teams target B or higher).

Can audit_headers scan localhost or my private API?

No. Only public hostnames resolving to public IPs on ports 80/443. For local dev, deploy to a staging URL or tunnel with a public hostname, then audit that URL.

How do I use audit_headers with Cursor?

Add Zephex hosted MCP, then ask: “audit_headers on https://my-app.vercel.app after this deploy.” The agent should cite the grade and specific missing headers—not assume https alone means secure.

What is the difference between audit_headers and reading next.config.js?

Config files show intent; audit_headers shows the edge reality after CDN, redirects, and platform defaults. Use both: audit to verify, find_code/read_code to change source config.

Can I run only an SSL or redirect check?

Yes. Set check_headers, check_cookies, check_ssl, or check_redirects to false to skip sections. url is always required.

Why did my second audit on the same host fail immediately?

audit_headers rate-limits repeat audits of the same hostname (~5 seconds) to prevent abuse. Wait a few seconds or audit a different URL. Each successful audit still counts as one plan request.

Need to edit config? find_code locates header source; audit_headers verifies the live URL.

Billing: Each tool call counts as one request on your Zephex plan (Free includes 555 requests/month). See usage limits for tier details. Usage limits.

Data: Fetches URLs you specify over the network; SSRF protections block private targets. Results are ephemeral. Data use.

Reading next.config.js shows intent; audit_headers shows what browsers receive after CDN—complements explain_architecture.

Related

  • find_code — find header config in repo
  • Zephex security
  • Zephex_dev_info — expert patterns
  • Cursor MCP setup
  • Quickstart
  • Supply chain (packages)
  • Install
  • Pricing
  • MCP troubleshooting
For AI agents (JSON)
json
{"tool":"audit_headers","when":"public deployed URL","read":"summary.security_grade first"}