Yes, Web Doctor is free to use.

How do I install Web Doctor?

Web Doctor is a local plugin. Install it using npm package: web-doctor-mcp and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Web Doctor need?

Web Doctor requires the following credentials or environment variables: X402_PAYTO, X402_NETWORK, X402_PRICE, X402_FACILITATOR_URL, X402_ENABLED. You can find setup instructions on the server detail page.

What AI apps work with Web Doctor?

Web Doctor uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Web Doctor MCP Server

by Baneado98

Developer ToolsModerate5.2MCP RegistryLocal

Free

Server data from the Official MCP Registry

Live web health grade (A-F): TLS cert validity/expiry, TLS version, HTTPS redirect, security headers

About

Live web health grade (A-F): TLS cert validity/expiry, TLS version, HTTPS redirect, security headers

Security Report

5.2

Moderate5.2Moderate Risk

web-doctor is a well-designed security audit tool with proper authentication (x402 payment gating for premium routes, rate-limiting for free tier) and appropriate code quality. The tool performs legitimate read-only TLS and HTTP inspection. Minor code quality issues around error handling and input validation do not materially impact security; permissions are well-scoped to the stated purpose (network_http for live checks, env_vars for configuration). Supply chain analysis found 4 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.

6 files analyzed · 10 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

HTTP Network Access

Connects to external APIs or services over the internet.

env_vars

Check that this permission is expected for this type of plugin.

network_tls

Check that this permission is expected for this type of plugin.

What You'll Need

Set these up before or after installing:

receiving wallet (default set)Optional

Environment variable: X402_PAYTO

base (default)Optional

Environment variable: X402_NETWORK

$0.02 (default)Optional

Environment variable: X402_PRICE

mainnet facilitator that settles on the chosen network (required to actually collect on mainnet)Optional

Environment variable: X402_FACILITATOR_URL

false to disable paid routesOptional

Environment variable: X402_ENABLED

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-baneado98-web-doctor": {
      "env": {
        "X402_PAYTO": "your-x402-payto-here",
        "X402_PRICE": "your-x402-price-here",
        "X402_ENABLED": "your-x402-enabled-here",
        "X402_NETWORK": "your-x402-network-here",
        "X402_FACILITATOR_URL": "your-x402-facilitator-url-here"
      },
      "args": [
        "-y",
        "web-doctor-mcp"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

web-doctor 🩺

Give it a domain, get an A–F health grade for its TLS, HTTPS and security headers — checked live.

web-doctor opens a real TLS connection to the target and fetches its HTTP headers, then grades:

🔐 TLS certificate — validity & trusted issuer, hostname (SAN) match, days until expiry, self-signed / expired detection
🧩 TLS version — flags obsolete TLS 1.0/1.1; notes TLS 1.2 vs the stronger TLS 1.3
↪️ HTTPS upgrade — does plain http:// 301-redirect to https://?
🛡️ Security headers — Strict-Transport-Security (HSTS), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — present and well-formed
⚡ Availability — HTTP status & response latency

…and returns a single A–F grade with a concrete fix for every issue.

It is read-only: it never logs in or changes anything on the target.

Why an MCP / API and not just a script?

An LLM agent can't open a socket or finish a TLS handshake on its own. web-doctor does the live network work server-side and hands back a clean, graded verdict — so an agent (or a CI step) can audit a deployment in one call.

Use it as an MCP server (free)

{
  "mcpServers": {
    "web-doctor": { "command": "npx", "args": ["-y", "web-doctor-mcp"] }
  }
}

Tools:

check_website_health — { "target": "example.com" }
check_many — { "targets": ["example.com", "github.com"] }

Or connect over HTTP at POST https://web-doctor.vercel.app/mcp.

Free HTTP API

GET https://web-doctor.vercel.app/check?target=example.com
GET https://web-doctor.vercel.app/check?target=https://github.com
GET https://web-doctor.vercel.app/check_many?targets=example.com,github.com,vercel.com

Rate-limited to 30 requests/hour/IP.

Pay-per-call (x402) — no sign-up, no API key

The /pro/* routes are gated by x402. Your agent pays $0.02 USDC per call automatically and gets the result. Settles on-chain (Base) to the operator wallet.

GET https://web-doctor.vercel.app/pro/check?target=<domain>        # 402 → pay → result
GET https://web-doctor.vercel.app/pro/check_many?targets=...        # up to 50 targets

Example output

🟢 A  —  github.com  (health score 96/100)
A — github.com is healthy: valid certificate, HTTPS enforced and the key security headers are in place.

TLS / certificate:
  • Protocol: TLSv1.3  cipher=TLS_AES_128_GCM_SHA256  handshake=84ms
  • Certificate: valid & trusted  issuer=CN=Sectigo ...  expires in 220d

HTTP:
  • Status 200  latency=140ms  server=github.com
  • HTTP→HTTPS redirect: yes

Security headers:
  ✅ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  ✅ Content-Security-Policy: default-src 'none'; ...
  ✅ X-Frame-Options: deny
  ✅ X-Content-Type-Options: nosniff
  ✅ Referrer-Policy: ...
  ✅ Permissions-Policy: ...

Develop

npm install
npm run build
npm run test:engine        # live smoke test
npm run dev:http           # local server on :8080 (payments default ON; set X402_ENABLED=false to disable)
npm run dev:mcp            # stdio MCP server

Environment (deploy)

Var	Purpose
`X402_PAYTO`	receiving wallet (default set)
`X402_NETWORK`	`base` (default)
`X402_PRICE`	`$0.02` (default)
`X402_FACILITATOR_URL`	mainnet facilitator that settles on the chosen network (required to actually collect on mainnet)
`X402_ENABLED`	`false` to disable paid routes

License

MIT

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

Web Doctor MCP Server

About

Security Report

Findings (10)Action required

Permissions Required

What You'll Need

How to Install

Documentation

web-doctor 🩺

Why an MCP / API and not just a script?

Use it as an MCP server (free)

Free HTTP API

Pay-per-call (x402) — no sign-up, no API key

Example output

Develop

Environment (deploy)

License

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Toleno

mcp-creator-python

MarkItDown

FinAgent

mcp-creator-typescript