Do I need a paid plan to use the MCP connector?

No. A free SiteSecurityScore account gives you access to the MCP connector with a limited number of scans per month. The free tier is generous enough for personal projects and small teams. Paid plans increase the scan limit and add PDF report generation and monitoring features.

Can I use this with the Claude Code VS Code extension?

Yes. The VS Code Claude Code extension reads the same .mcp.json configuration file from your project root. Restart the extension after adding the config and the scanner tool will appear automatically.

Does the MCP connector store my scan results?

Scan results are associated with your API key account. You can view scan history in your SiteSecurityScore dashboard. The raw scan data is not shared with Anthropic or any other AI provider — it passes through the MCP protocol locally between Claude and the scanner API.

What if my site is behind authentication?

The scanner fetches your site from its servers, so it can only scan pages that are publicly accessible. For authenticated pages, use the SiteSecurityScore browser extension, which captures headers from your already authenticated browser session.

Can I automate scans without Claude?

Yes. The SiteSecurityScore REST API accepts the same authentication key. You can call POST /api/v1/scan with your URL and get structured JSON results back, which is useful for CI/CD pipelines. See the API reference at sitesecurityscore.com/api-reference.

How to Add a Security Scanner to Claude Code with MCP

Claude Code is a terminal AI coding assistant that can call external tools directly through the Model Context Protocol (MCP, an open standard that lets AI assistants connect to external tools and services). Most developers use it to write, explain, and refactor code. But Claude Code can also run security scans, read the results, and immediately fix the issues it finds, all in the same conversation.

This article shows how to connect SiteSecurityScore to Claude Code using MCP so that security becomes a natural part of your development workflow rather than something you do (or forget) before launch.

What is MCP#

The Model Context Protocol is an open standard that lets AI assistants connect to external tools and services. Think of it as a plugin system: you add a server to your configuration, and Claude can call that server's tools as naturally as it generates code. The protocol is maintained by Anthropic and supported across Claude Code, the Claude desktop app, and third-party clients.

In Claude Code specifically, MCP works like this: you add server definitions to a config file, Claude discovers the available tools on startup, and you ask Claude to use them in plain language. "Scan this URL" becomes a tool call behind the scenes, the server runs the scan, and Claude receives structured results to work with before it writes a single line of code.

The difference from copy-pasting is significant. Without MCP you would scan manually, copy the output, paste it into your conversation, and then ask Claude to fix things, then copy the fix and apply it manually. With MCP, Claude handles the scanning itself and already has the full results in context when it writes the fix. The whole loop collapses into a single conversation turn.

Without MCP

Manually open the scanner in your browser
Enter the URL and wait for results
Copy the output text
Paste it into Claude conversation
Ask Claude to write a fix
Copy the fix code back to your editor
Apply the change manually

With MCP Connector

Ask Claude to scan and fix
Claude calls the scanner tool
Results arrive in context automatically
Claude writes targeted fix code
Claude applies the fix to your files
Claude re-scans to confirm the grade improved

Security belongs in your editor#

Security issues are cheapest to fix at the moment of creation. By the time a site is live with real users, fixing a missing HSTS (HTTP Strict Transport Security, a header that tells browsers to only connect over HTTPS) header or a wildcard CORS policy requires a deployment, testing, and potentially notifying users about the window of exposure.

AI tools, Claude Code included, write functional code very well but do not automatically add security headers. The HTTP response headers that protect a site from XSS (Cross-Site Scripting, attacks where malicious scripts are injected into a webpage and run in other users' browsers), clickjacking (an attack where a transparent iframe tricks users into clicking things they did not intend to click), and other browser-level threats require explicit configuration that is easy to forget when you are focused on shipping a feature.

A Content Security Policy (CSP, a response header that tells browsers which scripts, styles, and resources are allowed to load on a page) does not appear automatically when Claude scaffolds an Express app. Neither does an X-Frame-Options header or a Permissions-Policy. An MCP-connected scanner turns security from a one-time launch audit into a routine check you can run whenever you deploy.

Security posture degrades over time

Many developers scan once before launch and consider it done. Every new feature can add new scripts, new third-party services, and new API endpoints that weaken your existing headers. Running a scan after every significant deployment takes 30 seconds and catches regressions before users encounter them.

Installing the connector#

Step 1: Get an API key

Visit sitesecurityscore.com and create a free account.
Go to the API Keys page in your account dashboard.
Click "Generate new key" and copy the key. It starts with sss_ followed by 40 hex characters.

Step 2: Add the server to Claude Code

Claude Code reads MCP server configuration from .mcp.json in your project root. This is the recommended approach. For a global setup that applies across all projects, use the CLI: claude mcp add --transport http sitesecurityscore https://www.sitesecurityscore.com/mcp. Create .mcp.json in your project root with the following:

.mcp.json (project root)

{
  "sitesecurityscore": {
    "type": "http",
    "url": "https://www.sitesecurityscore.com/mcp",
    "headers": {
      "Authorization": "Bearer YOUR_API_KEY"
    }
  }
}

Replace YOUR_API_KEY with the key you copied. The type: "http" field tells Claude Code this is an HTTP transport MCP server rather than a local process.

Keep your API key out of version control

The API key is sent with every scan request as a Bearer token. Add .mcp.json to your .gitignore to prevent accidentally committing it. If you prefer global config, the ~/.claude/settings.json file lives outside any repository.

Step 3: Restart Claude Code

After adding the configuration, restart Claude Code (or reload the VS Code window if you are using the extension). Claude discovers available tools on startup by querying each configured MCP server. You can confirm it worked by asking Claude directly:

Claude Code terminal

> What security tools do you have available?

I have access to the SiteSecurityScore MCP connector, which gives me
a scan_site tool. I can scan any publicly accessible URL and get a
full security report covering headers, TLS, DNS, email security, and
more. Just give me a URL and I'll run the scan.

Running your first security scan#

With the connector active, you can ask Claude to scan any public URL in plain language. Here is a complete example conversation showing what the interaction looks like from start to finish.

Scan https://myapp.vercel.app for security issues

Calling scan_site with URL: https://myapp.vercel.app

scan_site result

Security scan: https://myapp.vercel.app
Grade: C
Scanned: 2026-04-30T14:22:08Z

PASSING
  Transport Security      HTTPS enforced, valid cert, HSTS configured
  Information Hygiene     No sensitive headers exposed

NEEDS ATTENTION
  Content Security Policy
    [HIGH]  No Content Security Policy header.
           Fix: Add: Content-Security-Policy: default-src 'self'

  Clickjacking Protection
    [MEDIUM]  No clickjacking protection.
           Fix: Add: Content-Security-Policy: frame-ancestors 'none'

  DNS / Email Security
    [HIGH]  No DMARC record.
           Fix: Add TXT record at _dmarc: v=DMARC1; p=reject; rua=mailto:security@yourdomain.com

The scan found three issues worth addressing. Your transport security is in good shape (HTTPS is working and HSTS is configured), but the site is missing some important response headers.

The two HIGH severity findings are: no Content Security Policy and no DMARC record. The CSP absence means browsers have no guidance on which scripts are allowed to run, leaving the door open to cross-site scripting attacks. The missing DMARC record means your domain can be spoofed in phishing emails.

The MEDIUM finding is missing clickjacking protection. Without a frame-ancestors directive, attackers could embed your app in a hidden iframe on a malicious site.

Want me to fix the CSP and clickjacking issues in your Express app? I can also walk you through the DMARC DNS record if you have access to your DNS provider.

Reading the scan output

PASSING sections confirm what is already configured correctly. These do not need attention.
NEEDS ATTENTION lists issues grouped by category. Each finding includes a severity (HIGH, MEDIUM, or LOW) and a specific fix instruction.
The grade (A+ through F) gives an overall picture. A "C" means some important protections are missing but the basics are in place.
HIGH severity findings are the ones to address first. They represent gaps that active attackers exploit routinely.

If you want to understand the full picture of what a typical AI-generated app looks like before scanning, the guide on scanning vibe-coded apps for security issues covers the most common gaps in detail.

Getting Claude to implement fixes#

Once Claude has the scan results in context, you can ask it to implement the fixes directly. Because Claude already knows your codebase structure from the conversation, the fixes it writes are targeted rather than generic.

Go ahead and fix the CSP and clickjacking issues in my Express app

I'll create a security headers middleware using the helmet package, which handles CSP, clickjacking protection, and several other headers in one place. First, install it if you haven't already: npm install helmet. Then I'll create middleware/security-headers.js:

middleware/security-headers.js

// middleware/security-headers.js
import helmet from 'helmet';

export function applySecurityHeaders(app) {
  app.use(helmet({
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: ["'self'"],
        styleSrc: ["'self'", "'unsafe-inline'"],
        imgSrc: ["'self'", "data:", "https:"],
        connectSrc: ["'self'"],
        fontSrc: ["'self'"],
        objectSrc: ["'none'"],
        mediaSrc: ["'self'"],
        frameSrc: ["'none'"],
      },
    },
    crossOriginOpenerPolicy: { policy: "same-origin" },
    referrerPolicy: { policy: "strict-origin-when-cross-origin" },
  }));
}

After Claude applies the fix, you can ask it to verify the work by running another scan. The conversation continues naturally:

Now re-scan and confirm the issues are fixed

Calling scan_site with URL: https://myapp.vercel.app

The grade improved from C to B. The Content Security Policy is now present and the frame-ancestors directive is blocking framing. The remaining open item is the DMARC DNS record, which requires access to your DNS provider. Want me to write the exact TXT record value you need to add?

Security headers by framework

Each framework has its own preferred location for response headers. Claude knows these locations but it helps to understand where to look when reviewing the generated code.

Express/Node.js: use the helmet middleware, or set headers manually in app.use()
Next.js: use the headers() function in next.config.js
Vercel: add a headers array in vercel.json
Netlify: create a _headers file in your public directory

next.config.js

// next.config.js
const nextConfig = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'",
          },
          {
            key: 'X-Frame-Options',
            value: 'DENY',
          },
          {
            key: 'Referrer-Policy',
            value: 'strict-origin-when-cross-origin',
          },
        ],
      },
    ];
  },
};

module.exports = nextConfig;

vercel.json

// vercel.json
{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        {
          "key": "Content-Security-Policy",
          "value": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'"
        },
        {
          "key": "Referrer-Policy",
          "value": "strict-origin-when-cross-origin"
        }
      ]
    }
  ]
}

Advanced workflows#

Once the connector is set up, you can build recurring habits around it. Here are three workflows that work well for developers building and iterating on production sites.

Scan after every deployment

After deploying to Vercel or Netlify, ask Claude: "Scan [URL] and tell me if anything regressed from last time." Claude runs the scan and flags any new issues introduced by the latest feature. New third-party scripts, new API integrations, and configuration changes can all affect your security posture, and catching them immediately keeps your grade from drifting downward over time.

Example prompt

Scan https://myapp.vercel.app and compare to the last time we scanned.
Flag anything new that appeared or any score that dropped.

Security first development sessions

Start a new feature by asking Claude to scan first and fix any existing issues before writing new code. This prevents accumulating security debt across iterations. When you add the new feature, you know the baseline is clean, so any new findings introduced by your changes are immediately visible.

Example prompt

Before we start: scan https://myapp.vercel.app, fix all HIGH issues,
then let's add the user authentication feature.

Pre-launch security review

Before sharing a project publicly, ask Claude for a full security review in one prompt. Claude scans the URL, lists all findings by severity, fixes all HIGH issues, and summarizes what was changed. Because Claude uses the scan results alongside its knowledge of your codebase, the fixes are specific to your stack rather than copy-pasted from documentation.

Example prompt

Do a full pre-launch security review of https://myapp.vercel.app.
Scan it, fix all HIGH and MEDIUM issues in the codebase,
then give me a summary of what was fixed and what remains.

Frequently asked questions#

References

Model Context Protocol Specification(Anthropic)HTTP Security Headers Reference(MDN)

How to Add a Security Scanner to Claude Code with MCP

What is MCP#

Security belongs in your editor#

Installing the connector#

Step 1: Get an API key

Step 2: Add the server to Claude Code

Step 3: Restart Claude Code

Running your first security scan#

Reading the scan output

Getting Claude to implement fixes#

Security headers by framework

Advanced workflows#

Scan after every deployment

Security first development sessions

Pre-launch security review

Frequently asked questions#

References

Continue reading

How to Scan Your Vibe Coded App for Security Issues

How to Add a Security Scanner to ChatGPT Codex with MCP

Website Security Best Practices

Start scanning from Claude Code