audit_headers

Audits the real edge posture of a public endpoint: TLS, redirects, headers, cookies, and overall grade.

DESCRIPTION

Use this when the question is what the server actually sends over the wire. It is the right tool for HSTS, CSP, X-Frame-Options, redirect chains, SSL expiry, and cookie security flags.

WHEN TO USE

GOOD FIT

Before or after deployment to verify the security posture of a public endpoint.
During a security review of redirects, headers, or TLS configuration.
When debugging missing HSTS, CSP, or secure cookie flags.

AVOID IT WHEN

You want readable page content; use Zephex_dev_info.
You need local repo analysis.
The endpoint is private or only reachable from an internal network the service cannot access.

PARAMETERS

Name	Type	Required	Description
url	string	Yes	Public HTTPS URL to audit.
check_redirects	boolean	No	Follow and audit the redirect chain. Defaults to true.
check_ssl	boolean	No	Inspect certificate details. Defaults to true.
check_headers	boolean	No	Inspect the security headers. Defaults to true.
check_cookies	boolean	No	Inspect cookie security flags. Defaults to true.

DETAILS

GOOD FOR

Use this on deployed URLs, not source code

This is a wire-level audit. It tells you what an external client sees after CDN, redirects, and app config have all been applied. That makes it more useful than reading server config when the problem is at the edge.

EXAMPLE

{  "jsonrpc": "2.0",  "id": 9,  "method": "tools/call",  "params": {    "name": "audit_headers",    "arguments": {      "url": "https://zephex.dev"    }  }}

OUTPUT

Grade: ARedirect chain: http -> https okTLS: valid certificate, expires in 61 daysHeaders: HSTS present, CSP present, X-Frame-Options SAMEORIGINCookies: Secure + HttpOnly + SameSite=Strict

TOKEN EFFICIENCY

Most audit_headers calls return about 250 to 700 tokens. Manually reproducing the same audit with curl, browser devtools, and TLS inspection tools usually costs 3,000 to 8,000 tokens of copied output and interpretation.