playbooks

home / mcp / caido mcp server

Caido MCP Server

Bridges Caido with MCP clients to view history, send requests, scan for vulnerabilities, and retrieve findings.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "fazcomia-mcp-caido": {
      "url": "http://localhost:3000/mcp/call",
      "headers": {
        "MCP_PORT": "3000",
        "CAIDO_URL": "http://127.0.0.1:8080/graphql",
        "MCP_API_KEY": "mcp-dev-key",
        "CAIDO_API_TOKEN": "your_token_here"
      }
    }
  }
}

You can run a Caido MCP Server that acts as a bridge to Caido, enabling AI agents to analyze traffic, forge and send requests, run basic vulnerability checks, and retrieve findings from your Caido instance running locally. This setup helps you automate security testing workflows with MCP-enabled clients.

How to use

Connect your MCP client to the Caido MCP Server at the locally exposed endpoint. Use the provided MCP URL to send requests from your agent or toolchain. You can view request history, forge and send HTTP requests through Caido’s engine, run basic automated XSS/SQLi checks, and fetch the findings reported by Caido.

How to install

# Prerequisites
- Node.js installed
- Caido running locally on port 8080 (default)
- Caido API Token available from Settings -> API

# Install the MCP server for Caido
git clone https://github.com/FazcomIA/mcp-caido.git
cd mcp-caido
npm install

# Configure environment variables
# Create a .env file in the root with the following values
CAIDO_URL=http://127.0.0.1:8080/graphql
CAIDO_API_TOKEN=your_token_here
MCP_PORT=3000
MCP_API_KEY=mcp-dev-key

# Start the MCP server
node server.js
```

After starting, the MCP server will listen for calls at http://localhost:3000/mcp/call with the required API key header `X-API-Key: mcp-dev-key`. Replace `your_token_here` and `mcp-dev-key` with your actual Caido API token and MCP key respectively.

Configuration and security

Environment values shown here enable the MCP server to connect to Caido and to run locally. Keep these values secure and do not expose them publicly.

Important security notes include using a locally bound port and protecting API access with an API key. By default, the setup runs locally; avoid exposing it to untrusted networks.

If you need to adjust the Caido connection, update the .env values accordingly and restart the MCP server.

Troubleshooting and tips

If the server fails to start, verify Node.js installation, ensure Caido is accessible at the configured URL, and confirm that the Caido API token is valid. Check that port 3000 is not in use by another process.

Notes

The MCP server exposes an HTTP bridge endpoint for remote clients and a local stdio command for development and integrated tooling. Use the HTTP endpoint for remote MCP clients and the local runtime command for testing in your development environment.

Available tools

View Request History

Allows you to inspect and analyze traffic captured by Caido proxy and stored by the MCP server.

Send Requests

Forge and send HTTP requests through Caido's engine to test targets and observe responses.

Scan for Mitigation

Run basic automated checks for common web vulnerabilities like XSS and SQLi.

Get Findings

Retrieve reported vulnerabilities and findings from Caido after tests run.