audit_headers
Makes a raw HTTP/TLS connection to inspect redirect chains, certificate details, security headers, cookie flags, and an overall grade from A+ to F.
DESCRIPTION
Use this when the question is security posture at the edge. It looks at what the server actually sends on the wire before the browser smooths anything over.
WHEN TO USE
GOOD FIT
- Before or after deployment to verify HTTPS and security headers.
- During a security review of an HTTP endpoint.
- When checking HSTS, CSP, X-Frame-Options, or cookie flag regressions.
- When auditing redirect chains or certificate expiry.
AVOID IT WHEN
- You need rendered page content or extracted article text; use inspect_url.
- You need repo-internal code analysis.
- You are testing a private or local-only URL that the hosted service cannot reach.
PARAMETERS
| Name | Type | Required | Description |
|---|---|---|---|
| url | string | Yes | Public URL to audit, including https://. |
| check_redirects | boolean | No | Follow the redirect chain. Defaults to true. |
| check_ssl | boolean | No | Inspect the TLS certificate. Defaults to true. |
| check_headers | boolean | No | Inspect security headers. Defaults to true. |
| check_cookies | boolean | No | Inspect cookie security flags. Defaults to true. |
EXAMPLE
tools-call.json
{ "jsonrpc": "2.0", "id": 7, "method": "tools/call", "params": { "name": "audit_headers", "arguments": { "url": "https://zephex.dev" } }}OUTPUT
response.json
{ "jsonrpc": "2.0", "id": 7, "result": { "content": [ { "type": "text", "text": "Grade: A\nRedirect chain: http -> https ok\nTLS: valid certificate, expires in 61 days\nHeaders: HSTS present, CSP present, X-Frame-Options SAMEORIGIN\nCookies: Secure + HttpOnly + SameSite=Strict" } ] }}TOKEN EFFICIENCY
This tool is compact compared with opening a browser, following redirects manually, and interpreting headers yourself. It focuses on edge security signal only.