Security Score
pro/v1/score/securityCalculates a composite website security score (0-100) from 8 weighted components: TLS configuration (25%), security headers (20%), DNSSEC validation (10%), HTTPS enforcement (10%), cookie security (10%), Content Security Policy (10%), certificate chain validity (10%), and WAF detection (5%). Returns a letter grade (A+ to F), detailed component breakdown with individual scores, critical issues list, and prioritized remediation recommendations. Methodology inspired by Mozilla Observatory and the OWASP Secure Headers Project scoring approaches.
What It Does
Performs parallel analysis of 8 security dimensions against the target domain over HTTPS. TLS scoring (max 25 pts) evaluates protocol version — TLS 1.3 earns 15 pts, TLS 1.2 earns 10 pts — plus cipher strength grade (max 10 pts). Security headers scoring (max 20 pts) checks for HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy, Cross-Origin-Opener-Policy (COOP), and Cross-Origin-Resource-Policy (CORP) per the OWASP Secure Headers Project checklist. DNSSEC scoring (10 pts) checks DNSSEC key presence via DoH. HTTPS enforcement (max 10 pts) awards 7 pts for HTTP-to-HTTPS redirect plus 3 pts for HSTS preload eligibility (max-age ≥ 1 year + includeSubDomains + preload directive). Cookie security (max 10 pts) checks Secure flag (4 pts), HttpOnly (3 pts), and SameSite attribute (3 pts). CSP scoring (max 10 pts) awards 5 pts for CSP presence, 3 pts for no unsafe-inline, and 2 pts for no unsafe-eval. Certificate chain scoring (max 10 pts) validates chain integrity (5 pts) and expiry buffer — full 5 pts for 60+ days remaining, scaled down for shorter windows. WAF detection (5 pts) identifies web application firewall signatures.
Why It's Useful
A single composite security score simplifies posture communication across technical and non-technical stakeholders. SecurityScorecard research shows F-rated organizations are 13.8x more likely to experience breaches than A-rated ones. The weighted component breakdown pinpoints exactly which areas drag down the overall score, enabling targeted remediation prioritized by impact. Essential for vendor risk evaluation, compliance reporting (NIST CSF 2.0, CIS Benchmarks, PCI DSS v4.0), M&A technical due diligence, and continuous security monitoring with regression detection.
Use Cases
Security Posture Reporting
Generate security scores for all public-facing domains for board-level reporting. Track score trends across quarters to demonstrate security investment ROI. Mozilla Observatory reports fewer than 10% of websites score above a B — use this as an industry benchmark.
Communicate security posture to non-technical stakeholders with a single auditable metric backed by 8 components.
Vendor & Supply Chain Risk Assessment
Score vendor domains against minimum security thresholds (e.g., require grade B or above) before contract signing. Flag vendors missing critical headers like CSP and HSTS that indicate weak security hygiene.
Data-driven vendor risk decisions — identify vendors with weak external security that could impact your supply chain.
Continuous Security Monitoring
Integrate security score checks into CI/CD pipelines and monitoring dashboards. Set alerts for score drops that indicate configuration drift, expired certificates, or security headers removed after deployments.
Catch security regressions within hours of deployment instead of waiting for the next quarterly audit cycle.
Compliance Evidence Collection
Map security score component breakdowns to specific compliance control requirements — TLS and certificate chain scores map to encryption controls, CSP and header scores map to application security controls. Use as automated evidence for NIST CSF, CIS Benchmark, PCI DSS, and SOC 2 audits.
Automated, repeatable compliance evidence that reduces audit preparation time and demonstrates continuous monitoring.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to calculate security score for. Analysis is performed over HTTPS.Example: cloudflare.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The scored domain |
score | number | Composite security score 0-100 (weighted sum of 8 components) |
grade | string | Letter grade: A+ (95-100), A (85-94), B (70-84), C (50-69), D (30-49), F (0-29) |
breakdown | object | Component scores with score, max, and details fields for each of the 8 factors |
breakdown.tls | object | TLS version and cipher strength (max 25 pts) |
breakdown.headers | object | OWASP security headers presence (max 20 pts) |
breakdown.dnssec | object | DNSSEC presence check via DNSKEY (max 10 pts) |
breakdown.https | object | HTTPS redirect and HSTS preload (max 10 pts) |
breakdown.cookies | object | Secure, HttpOnly, SameSite flags (max 10 pts) |
breakdown.csp | object | Content Security Policy quality (max 10 pts) |
breakdown.certChain | object | Certificate validity and expiry buffer (max 10 pts) |
breakdown.waf | object | Web Application Firewall detection (max 5 pts) |
gradeDescription | string | Human-readable description of the letter grade |
componentCount | number | Number of security components evaluated |
recommendations | array | Prioritized improvement actions ranked by score impact |
Code Examples
curl "https://api.edgedns.dev/v1/score/security" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=cloudflare.com"const response = await fetch(
'https://api.edgedns.dev/v1/score/security?domain=cloudflare.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/score/security',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'cloudflare.com'
}
)
data = response.json()
print(data)Read the full Security Score guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Security Score endpoint live in the playground.