HTTP Security Headers
by Shakil AhamedUpdated May 4, 2026
Analyze and score HTTP security headers (CSP, HSTS, CORS, cookies) with actionable fix recommendations for web applications.
security-headers
web-security
http-headers
+1
|HTTP Security Headers MCP Server scans any URL and grades its security headers from A+ to F based on OWASP best practices.
What it does:
- scan_headers — Fetch any URL and get a full security audit of all HTTP headers with an A+ to F grade
- score_headers — Pass your own headers and get a detailed score breakdown per header
- analyze_csp — Deep Content-Security-Policy analysis: detects unsafe-inline, unsafe-eval, wildcard sources, missing directives, and bypass risks
- generate_headers — Get ready-to-paste security header configs for Express, Next.js, nginx, Apache, Cloudflare, and Vercel
Example use cases:
- Pre-deployment audit: scan https://staging.shakilahamed.com to verify headers before going live
- CSP debugging: paste your Content-Security-Policy and get directive-by-directive analysis with fix suggestions
- New project setup: generate security headers for your Express or Next.js app in seconds
Why this exists: The SecurityHeaders.com API was shut down by Snyk in April 2026. This MCP server is a free, open-source replacement that works natively with Claude, Cursor, and any MCP-compatible AI assistant.
Technical details:
- Pure computation — zero external API costs, no rate limits
- Scores 7 critical headers weighted up to 100 points
- Based on OWASP Secure Headers Project and MDN HTTP Observatory rules
- TypeScript, open source: https://github.com/shakiltousif/http-security-headers-mcp
Built by Shakil Ahamed — https://shakilahamed.com