Cipher Suites
developer/v1/domain/ciphersReturns the cipher suites a domain's edge provider is configured to negotiate, based on detected CDN/server identity. NOT a live cipher-by-cipher scan — Cloudflare Workers cannot probe specific ciphers. For sites behind a recognized edge (Cloudflare, AWS CloudFront, Fastly, Akamai, Azure Front Door, Google Cloud CDN, Bunny, KeyCDN, StackPath, Sucuri, CDN77, Imperva — 12 profiles as of 2026-05), the endpoint returns that provider's published default cipher suites with a source URL and verifiedAt date. For unrecognized origins it falls back to the Mozilla Intermediate reference profile.
What It Does
Connects to the domain over TLS, fingerprints the CDN/edge from response headers, then returns the matching reference cipher profile with each entry classified by protocol version, key exchange, authentication, encryption, MAC, AEAD support, forward secrecy, security level (recommended/secure/weak/insecure), and OpenSSL name. Grades follow the tightened 2026 baseline (CBC → D, RSA-kex without PFS → C, 3DES/RC4/NULL → F). Includes a methodology block stating profile name, source URL, and verifiedAt date so consumers know this is reference data, not measurement.
Why It's Useful
Cipher suite configuration determines the actual encryption strength of TLS connections. Weak ciphers (RC4, DES, export ciphers) can be exploited even with modern TLS versions, and missing forward secrecy means a compromised server key decrypts all past traffic. Regular cipher auditing against Mozilla SSL Configuration Generator (modern/intermediate profiles) and NIST SP 800-52r2 is required for PCI-DSS and SOC 2 compliance.
Use Cases
Security Hardening Verification
After configuring cipher suites, verify only strong ciphers are enabled and properly ordered.
Confirm cipher hardening is effective and no weak ciphers remain.
Compliance Assessment
Verify cipher suite configuration meets compliance requirements (e.g., NIST guidelines).
Document cipher compliance for regulatory audits.
Vulnerability Assessment
Identify weak cipher suites that could be exploited in downgrade attacks.
Find cryptographic weaknesses during security assessments.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to analyze cipher suites forExample: example.com |
port | number | Optional | Port to connect to (default: 443)Example: 443 |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
port | number | The port used for connection |
overallGrade | string | Overall cipher suite security grade (A+ through F) |
reference_ciphers | array | Cipher suites from the detected/reference profile with name, grade, protocol, openSslName, keyExchange, authentication, encryption, mac, isAEAD, forwardSecrecy, securityLevel, keySize, and issues. NOT a measurement — these are the provider's published defaults; site owners can override. |
methodology | object | { type: "cdn-default" | "reference-profile", profile_name, source_url, verified_at, note } — provenance for the cipher list so consumers can audit the data. |
pq_hybrid | object | Post-quantum hybrid signal: { group: "X25519MLKEM768", supported: boolean | null, provider, note }. true for Cloudflare/Google/Meta edges that terminate X25519MLKEM768 by default. |
ciphers | array | [deprecated] Alias for reference_ciphers — will be removed once clients migrate. |
bestCipher | string | Name of the strongest cipher suite |
worstCipher | string | Name of the weakest cipher suite |
issues | array | Security issues found with the cipher configuration |
recommendations | array | Actionable cipher suite improvement suggestions |
serverInfo | object | Detected CDN and server information (cdn, server) |
analysisMethod | string | How the cipher data was obtained: cdn-detected or reference |
tlsVersions | array | TLS versions supported by the cipher profile |
supportsForwardSecrecy | boolean | Whether any cipher provides perfect forward secrecy |
supportsAEAD | boolean | Whether any cipher uses authenticated encryption (AEAD) |
mozillaCompatibility | object | Compatibility with Mozilla Modern and Intermediate TLS profiles |
count | number | Total number of cipher suites |
timestamp | string | ISO 8601 timestamp of the analysis |
Code Examples
curl "https://api.edgedns.dev/v1/domain/ciphers" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/ciphers?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/ciphers',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Cipher Suites guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Cipher Suites endpoint live in the playground.