Scan Your App for Security From Inside Cursor and Claude
SimplyScan now runs an MCP server, so your AI coding assistant can scan your app and run security checks without leaving the editor. Here is how it works.
By Daniel A · Kraftwire Software
· 5 min readKey Takeaway
You build in your AI editor. You should be able to *check your work* there too. SimplyScan now runs a **Model Context Protocol (MCP) server**, so assistants like Claude, Cursor, and Windsurf can run a real security scan — and every one of our free checks — without you ever leaving the editor. The fix loop gets shorter: your agent finds the issue, writes the fix, and re-scans, all in one conversation.
What is MCP, quickly
Model Context Protocol is an open standard that lets AI assistants connect to external tools. Instead of copy-pasting output between a website and your editor, your agent calls the tool directly and reads the structured result. It has quickly become the common language for "give my AI assistant a new capability."
What SimplyScan's MCP server exposes
Once connected, your assistant gets these tools:
**`scan_website`** — a full free security & speed scan of a deployed URL (exposed secrets, missing Supabase RLS, frontend leaks, speed issues).
**`check_security_headers`** — grade CSP, HSTS, and other headers A–F.
**`check_ai_visibility`** — the AEO check: can ChatGPT, Claude, Perplexity, and Google crawl and cite your site?
**`check_seo`** — on-page SEO audit.
**`check_ssl`** — certificate issuer, expiry, and protocol.
**`check_email_security`** — SPF, DKIM, and DMARC.
**`check_exposed_files`** — probes for leaked `.env`, `.git`, and backups.
Why this matters for vibe-coded apps
AI tools generate code fast, and they generate *insecure* code often — hardcoded keys, missing row-level security, unprotected endpoints. The tightest possible feedback loop is one where the same assistant that wrote the code can immediately check it:
> "Scan my deployed app for security issues, then fix the top three and re-scan."
That single prompt now works. No context-switching, no dashboards, no copy-paste — the agent runs the scan, gets structured findings, applies fixes, and verifies.
How to connect it
Add SimplyScan's MCP endpoint to your assistant's MCP configuration:
https://wpyoohiwuephrhgeoctb.supabase.co/functions/v1/mcp
In a client that supports remote MCP servers (Claude, Cursor, Windsurf), add it as a Streamable-HTTP server. Then ask your assistant to "list SimplyScan tools" and it will show the seven checks above. From there, just describe what you want scanned.
Bottom line
Security that lives in a separate tab gets skipped. Security that lives inside the editor where you already work gets done. Connect the MCP server once, and "is this safe to ship?" becomes a question your AI assistant can actually answer.