audit_headers
Paste a URL — is it up, secure, and leaking secrets? One call, plain English answer.
Zephex Site Audit (MCP tool audit_headers) scans public URLs on Zephex servers via HTTP fetch—security grade, health verdict, tech stack, light secret scan, network timing—in ~1–3s quick mode. CLI: zephex check url. No Chrome on the user's machine.
When to use
- Post-deploy: “are headers correct on production?”
- Cert expiry, HSTS, CSP, or cookie flag questions on a public site.
- Redirect chain audits (HTTP→HTTPS, www, loops, downgrades).
- Staging vs production header comparison on two public URLs.
When not to use
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| url | string | Yes | Public https URL (max 2048 chars). |
| scan_mode | string | No | quick (~1-3s, default) or thorough (DNS+APIs, ~5-12s). |
| path | string | No | Subpath e.g. /checkout. |
| check_health | boolean | No | Default true—verdict + trust score. |
| check_tech | boolean | No | Default true—framework, hosting, CDN. |
| check_secrets | boolean | No | Default true—exposed keys, .env/.git. |
| check_network | boolean | No | Default true—HTTP timing table. |
| check_redirects | boolean | No | Default true—redirect chain. |
| check_ssl | boolean | No | Default true—cert + protocol. |
| check_headers | boolean | No | Default true—security header grade. |
| check_cookies | boolean | No | Default true—Set-Cookie flags. |
| focus | string | No | all | security | health | performance. |
| security_depth | string | No | basic (fast) or full (DNS SPF/DMARC). |
| timeout_ms | number | No | Default 8000, max 15000. |
Limits: Public endpoints only; one snapshot per call; per-hostname cooldown ~5s. Cookie values are not returned (names/flags only). Does not replace DAST or full pentests.
Try it — copy a prompt
Paste into Cursor, Claude Code, Windsurf, VS Code, or any editor with a hosted MCP connection.
Before you call it
- Zephex API key and hosted MCP.
- A **public hostname** URL (https recommended). Ports 80 or 443 only; no user:pass@ in URL.
- All check_* flags default true; disable one to speed up a partial audit.
Token and request cost
Most audits return about 250–700 tokens with grade, issues list, and key header statuses. Reproducing the same checks manually (curl, openssl, browser devtools) often costs far more context to paste and interpret.
Example
MCP tools/call
{ "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "audit_headers", "arguments": { "url": "https://example.com", "scan_mode": "quick", "check_health": true, "check_tech": true, "check_secrets": true, "check_network": true } }}Response shape
Response shape
{ "product": "site_audit", "duration_ms": 1240, "plain_summary": "example.com is up (HTTP 200) in 412ms. Stack: Next.js.", "summary": { "security_grade": "B", "security_score": 78, "site_verdict": "ALIVE", "trust_score": 82, "load_ms": 412, "secrets_critical": 0, "critical_count": 0, "warning_count": 3 }, "health": { "verdict": "ALIVE", "trust_score": 82, "load_ms": 412 }, "tech": { "framework": "Next.js", "hosting": "Vercel", "cdn": "Cloudflare" }, "secrets": { "total_found": 0, "critical_count": 0 }, "network": { "total_requests": 4, "slow_count": 0, "note": "HTTP fetch layer only" }, "issues": ["WARNING: CSP allows unsafe-inline"], "final_url": "https://www.example.com/", "ssl": { "valid": true, "protocol": "TLSv1.3" }}Which Zephex tool when
| Task | Use this tool | Not this tool |
|---|---|---|
| Grade live deployed URL | audit_headers | read_code |
| Find header in source config | find_code | audit_headers |
| Map app architecture | explain_architecture | audit_headers |
| Package / CVE check | check_package | audit_headers |
What it can do in your codebase
- Grade HSTS including preload eligibility signals
- Analyze CSP quality (unsafe-inline, frame-ancestors, nonce/hash hints)
- X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/CORP
- TLS validity, protocol, days until expiry, issuer
- Full redirect_chain per hop (detect loops and downgrades)
- cookie_flags: Secure, HttpOnly, SameSite, __Host-/__Secure- prefix issues
- cors_preflight OPTIONS check for wildcard + credentials mistakes
- server_fingerprint and info_leakage (version leaks, risky headers)
- infra: CDN/WAF detection, HTTP/2, compression hints
- dns: SPF/DMARC/DKIM signals for the domain
- fixes snippets per Nginx, Apache, Caddy, Express, Vercel, Next.js, Cloudflare, …
Common response fields
Why teams use it
Wire-level truth
Measures what the server returns on the network—including CDN and redirect behavior—not static config files alone.
SSRF-safe
DNS pinning to public IPs; blocks localhost, metadata hosts, and embedded credentials in URLs.
Actionable output
Prioritized issues list plus per-header fix snippets for common hosting stacks.
Not a code scanner
Does not read your repository. Pair with find_code when you need to edit the header source.
What it looks at vs skips
- Live HTTPS/HTTP response headers
- TLS certificate handshake
- Redirect hops (re-validated per hop)
- Set-Cookie attributes on the response
- OPTIONS preflight for CORS
- DNS TXT for SPF/DMARC/DKIM
- Private/internal URLs and raw IP hostnames
- JavaScript execution or page body content
- Local repo config files (unless you audit a deployed URL)
- Authenticated-only pages the server cannot reach
Fields agents should read first
| Field | Meaning |
|---|---|
| summary.security_grade | A+ through F—start here. |
| issues | Prioritized CRITICAL → WARNING → INFO strings. |
| final_url | URL after all redirects. |
| ssl.days_until_expiry | Certificate runway; watch expiry_warning. |
| security_headers.csp_quality | CSP weakness signals (unsafe-inline, etc.). |
| cookie_flags | Per-cookie Secure/HttpOnly/SameSite audit. |
How it fits your workflow
- Deploy or update edge config (Vercel, Cloudflare, Nginx, …).
- audit_headers on the public URL—read summary and issues first.
- Apply fix snippets for failing headers; re-audit to confirm grade.
- If the fix is in code, use find_code to locate config then edit in your repo.
Troubleshooting
- Blocked private IP → URL must resolve to a public IPv4 address; no 127.0.0.1 or RFC1918.
- Rate limit → wait ~5s per hostname before re-auditing the same site.
- Grade differs from browser → CDN/edge may differ by region; audit is one wire snapshot.
- Empty cookies → site may set cookies only on authenticated paths; try a URL that sets Set-Cookie.
How to verify it works
- Connect Zephex MCP; confirm audit_headers in tools/list.
- Audit https://zephex.dev (or your staging URL); confirm summary.security_grade and issues array.
- If grade < B, read security_headers entries with status fail/warn and attached fix snippets.
Common questions
Billing and plan limits: FAQ, usage limits.
Which MCP tool should I use to check security headers after deploy?
Use audit_headers with the production https URL. Read summary.security_grade and issues, then security_headers entries with status fail or warn. Re-run after applying fix snippets until the grade meets your bar (many teams target B or higher).
Can audit_headers scan localhost or my private API?
No. Only public hostnames resolving to public IPs on ports 80/443. For local dev, deploy to a staging URL or tunnel with a public hostname, then audit that URL.
How do I use audit_headers with Cursor?
Add Zephex hosted MCP, then ask: “audit_headers on https://my-app.vercel.app after this deploy.” The agent should cite the grade and specific missing headers—not assume https alone means secure.
What is the difference between audit_headers and reading next.config.js?
Config files show intent; audit_headers shows the edge reality after CDN, redirects, and platform defaults. Use both: audit to verify, find_code/read_code to change source config.
Can I run only an SSL or redirect check?
Yes. Set check_headers, check_cookies, check_ssl, or check_redirects to false to skip sections. url is always required.
Why did my second audit on the same host fail immediately?
audit_headers rate-limits repeat audits of the same hostname (~5 seconds) to prevent abuse. Wait a few seconds or audit a different URL. Each successful audit still counts as one plan request.
Need to edit config? find_code locates header source; audit_headers verifies the live URL.
Billing: Each tool call counts as one request on your Zephex plan (Free includes 555 requests/month). See usage limits for tier details. Usage limits.
Data: Fetches URLs you specify over the network; SSRF protections block private targets. Results are ephemeral. Data use.
Reading next.config.js shows intent; audit_headers shows what browsers receive after CDN—complements explain_architecture.
For AI agents (JSON)
{"tool":"audit_headers","when":"public deployed URL","read":"summary.security_grade first"}