TLS Version
free/v1/domain/tls-versionVerifies TLS connectivity for a domain and confirms support for modern TLS versions (1.2+). Note: Cloudflare Workers negotiate TLS 1.2 or 1.3 automatically; individual version testing requires dedicated tools like testssl.sh or SSL Labs.
What It Does
Performs a TLS handshake with the domain to verify connectivity. A successful connection confirms the server supports at minimum TLS 1.2. TLS 1.3 support may also be present but cannot be independently confirmed from this environment. For precise per-version enumeration, use testssl.sh, nmap, or Qualys SSL Labs.
Why It's Useful
TLS version support directly impacts security posture. PCI DSS 4.0.1 (current version) and NIST SP 800-52r2 require TLS 1.2 as a minimum, and HIPAA follows similar guidance. This endpoint helps verify compliance and identify servers needing protocol updates.
Use Cases
Security Compliance Audit
Verify all public-facing servers have disabled TLS 1.0 and 1.1 as required by PCI DSS 4.0.
Maintain compliance by identifying servers with deprecated TLS versions.
Security Assessment
Identify weak TLS configurations during security assessments.
Document TLS misconfigurations for remediation recommendations.
Infrastructure Hardening
Verify TLS configuration after hardening load balancers or web servers.
Confirm TLS hardening was applied correctly across infrastructure.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check TLS version support forExample: example.com |
port | number | Optional | Port to connect to (default: 443)Example: 443 |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
port | number | The port used for connection |
negotiated | string | null | The single TLS version Workers negotiated to this origin (e.g. TLSv1.3). Older versions cannot be enumerated from a Worker — use testssl.sh for that. |
negotiatedCipher | string | null | Negotiated cipher suite (from Cloudflare metadata, or null if unavailable) |
pqHybrid | object | Post-quantum hybrid key exchange signal: { group: "X25519MLKEM768", supported: boolean | null, provider, note }. supported=true for known PQ-enabled edges (Cloudflare, Google, Meta as of 2026). |
alignsWith | object | Phase 2: profile alignment derived from the negotiated tuple. { mozilla_modern, mozilla_intermediate, nist_sp_800_52r2, pci_dss_4, notes }. Boolean values are positive-only: true when confirmed-aligned, null when unverifiable from a single-flow Workers fetch, false only when the negotiated tuple is explicitly outside the policy. |
note | string | Methodology disclaimer about Workers-imposed visibility limits |
recommendations | array | Security improvement suggestions |
supportedVersions | array | [deprecated] Use `negotiated`. Kept for backwards compatibility. |
preferredVersion | string | null | [deprecated] Use `negotiated`. |
deprecatedVersions | array | [deprecated] Workers cannot enumerate; always empty. Will be removed in a future schema revision. |
Code Examples
curl "https://api.edgedns.dev/v1/domain/tls-version" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/tls-version?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/tls-version',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full TLS Version guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.