Cipher Suites: a beginner's guide
Analyze TLS cipher suite configuration
Cipher suites: the secret handshake your server uses
A cipher suite is the specific combination of cryptographic algorithms a TLS connection uses to actually do its encryption work. Every TLS handshake involves the client and server negotiating a cipher suite from a list of options each side supports. The chosen cipher suite specifies four things at once: the key-exchange algorithm (how the two sides agree on a shared secret), the authentication algorithm (how the server proves its identity), the bulk encryption algorithm (how the actual data is encrypted), and the integrity algorithm (how each message is checked for tampering). The choice of cipher suite is one of the deepest, least visible parts of TLS — and one of the most-audited.
You should care because "we have HTTPS" does not mean "we use strong ciphers." A server can have a perfectly valid certificate, accept TLS 1.2, and still be configured to negotiate weak cipher suites with names like `RC4-SHA` or `3DES-CBC` — both of which are now considered broken or near-broken. Compliance frameworks (PCI-DSS, FIPS 140-2, NIST SP 800-52) all have specific cipher-suite requirements, and failing to meet them is one of the most common audit findings on otherwise well-configured servers. The good news is that modern web servers, run with default configurations, are usually fine. The bad news is that any custom or legacy configuration is suspect.
The five things every cipher-suite check looks at:
Are any explicitly weak ciphers enabled? RC4, 3DES, EXPORT-grade ciphers, NULL ciphers, anonymous Diffie-Hellman — all should be disabled.
Are forward-secret cipher suites preferred? "Forward secrecy" means that compromising the server's long-term key in the future does not retroactively decrypt past sessions. Modern best practice is to only offer forward-secret ciphers (the ones with `ECDHE` in the name).
Is AEAD encryption preferred? AEAD (Authenticated Encryption with Associated Data) ciphers like `AES-GCM` and `ChaCha20-Poly1305` are the modern standard. Older block-cipher modes like CBC are vulnerable to padding-oracle attacks.
Does the server have a sane preference order? When the client and server agree on multiple ciphers, the server's preference list decides which one wins.
Are TLS 1.3 cipher suites enabled? TLS 1.3 has a much shorter, simpler list of cipher suites — and they are all good ones by definition.
Three questions a cipher-suite audit answers:
Is my server still accepting weak cipher suites that compliance frameworks now forbid?
Am I offering forward secrecy on every session, or could a future key compromise decrypt old traffic?
Would my server pass a PCI-DSS or FIPS 140-2 review on the cipher-suite dimension?
The cost of running weak ciphers is the same as running deprecated TLS versions: compliance findings, security risk, and a poor security grade. The fix is a configuration change at the web server, often a single line. The most useful reference is the Mozilla SSL Configuration Generator, which produces a known-good cipher list for every common server.
The Cipher Suites endpoint, in plain language
In one sentence: Analyze TLS (Transport Layer Security) cipher suite configuration
Analyzes TLS (Transport Layer Security) cipher suite configuration for a domain by detecting the CDN/server infrastructure and reporting its known cipher suites. For sites behind Cloudflare, AWS CloudFront, Fastly, or Akamai, the endpoint returns the CDN (Content Delivery Network)'s published default cipher suite configuration. For other servers, it provides a Mozilla Intermediate reference profile. Each cipher is graded and classified with forward secrecy, AEAD support, security level, and Mozilla compatibility assessment.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Connects to the domain over TLS (Transport Layer Security), detects the CDN (Content Delivery Network) or server infrastructure from response headers, then reports the appropriate cipher suite profile. For detected CDNs (Cloudflare, CloudFront, Fastly, Akamai), it uses the CDN's published default cipher suites. Each cipher is classified by protocol version, key exchange, authentication, encryption, MAC, AEAD support, forward secrecy, security level (recommended/secure/weak/insecure), and includes the OpenSSL name for cross-referencing. Returns overall grade, Mozilla Modern/Intermediate compatibility, and actionable recommendations.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Cipher Suites tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Cipher suite configuration determines the actual encryption strength of TLS (Transport Layer Security) connections. Weak ciphers (RC4, DES, export ciphers) can be exploited even with modern TLS versions, and missing forward secrecy means a compromised server key decrypts all past traffic. Regular cipher auditing against Mozilla SSL (Secure Sockets Layer) Configuration Generator (modern/intermediate profiles) and NIST SP 800-52r2 is required for PCI-DSS and SOC 2 (Service Organization Control 2) compliance.
Picture this in real life. Imagine a security engineer. Here's the situation they're walking into: After configuring cipher suites, verify only strong ciphers are enabled and properly ordered. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Cipher Suites tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Cipher Suites tool is built for you:
Is my website encrypted properly, or are visitors going to see a scary browser warning?
Am I missing any of the security headers that modern browsers expect?
Could a known weakness on my site quietly be costing me trust, traffic, or compliance?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders and freelancers running their own sites, agencies handing off projects to clients, security and compliance teams chasing audit findings, and developers hardening login pages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and visitors get browser warnings, search engines lose trust in your site, and a single missed setting can become a public security incident. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/domain/ciphers`.
When would I actually use this?
If you're still on the fence about whether the Cipher Suites tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a security engineer, a auditor, and a penetration tester — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Security Hardening Verification
Imagine you're a security engineer. After configuring cipher suites, verify only strong ciphers are enabled and properly ordered.
Why it matters: Confirm cipher hardening is effective and no weak ciphers remain.
Story 2: Compliance Assessment
Imagine you're an auditor. Verify cipher suite configuration meets compliance requirements (e.g., NIST guidelines).
Why it matters: Document cipher compliance for regulatory audits.
Story 3: Vulnerability Assessment
Imagine you're a penetration tester. Identify weak cipher suites that could be exploited in downgrade attacks.
Why it matters: Find cryptographic weaknesses during security assessments.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Cipher Suites tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
After every site redesign or platform migration.
Before a penetration test, security review, or vendor questionnaire.
When your SSL certificate is about to expire and you want to confirm the renewal worked.
On a recurring monthly schedule, so you catch new issues before attackers do.
If you can see yourself in even one of those bullets, the Cipher Suites tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Cipher Suites tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Cipher Suites tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/domain/ciphers?domain=example.com"What you need to provide
You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to analyze cipher suites for | example.com |
port | number | Optional | Port to connect to (default: 443) | 443 |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
port | number | The port used for connection |
overallGrade | string | Overall cipher suite security grade (A+ through F) |
ciphers | array | Cipher suites with name, grade, protocol, openSslName, keyExchange, authentication, encryption, mac, isAEAD, forwardSecrecy, securityLevel, keySize, and issues |
bestCipher | string | Name of the strongest cipher suite |
worstCipher | string | Name of the weakest cipher suite |
issues | array | Security issues found with the cipher configuration |
recommendations | array | Actionable cipher suite improvement suggestions |
serverInfo | object | Detected CDN (Content Delivery Network) and server information (CDN, server) |
analysisMethod | string | How the cipher data was obtained: CDN-detected or reference |
tlsVersions | array | TLS (Transport Layer Security) versions supported by the cipher profile |
supportsForwardSecrecy | boolean | Whether any cipher provides perfect forward secrecy |
supportsAEAD | boolean | Whether any cipher uses authenticated encryption (AEAD) |
mozillaCompatibility | object | Compatibility with Mozilla Modern and Intermediate TLS (Transport Layer Security) profiles |
count | number | Total number of cipher suites |
timestamp | string | ISO 8601 timestamp of the analysis |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
CDN (Content Delivery Network) — A worldwide network of servers that store copies of your website close to your visitors so pages load fast.
SSL (Secure Sockets Layer) — The original encryption used by HTTPS. The name stuck even though every modern site actually uses TLS, the newer replacement.
TLS (Transport Layer Security) — The encryption that puts the 'S' in HTTPS. It scrambles data so nobody between you and a website can read it.
SOC 2 (Service Organization Control 2) — A widely used security audit. Proves to customers that you handle their data responsibly.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.