Enterprise|Security Engineer / Compliance Officer

Security Compliance Auditing

Automate security posture assessments for SOC 2 and ISO 27001

Security audits require evidence of proper security controls. EdgeDNS automates the collection of security configuration data across your domains.

The Challenge

Manual security assessments are time-consuming and error-prone. Compliance frameworks like SOC 2 and ISO 27001 require documented evidence of security controls including HTTPS enforcement, security headers, and DNS security.

The Solution

Automate security posture assessment using EdgeDNS APIs. Verify security headers, SSL/TLS configuration, and DNSSEC status — including full cryptographic verification of the DS digest ([RFC 4034 §5.1.4](https://datatracker.ietf.org/doc/rfc4034/)) and RRSIG signatures (RSA-SHA256/512, ECDSA P-256/P-384, Ed25519). Cross-reference CAA policy ([RFC 8659](https://datatracker.ietf.org/doc/rfc8659/)) against Certificate Transparency logs ([RFC 6962](https://datatracker.ietf.org/doc/rfc6962/)) to detect mis-issued certificates — exactly the threat CAA was designed to prevent. Generate comprehensive scores for audit evidence.

Endpoints Used

Combine these EdgeDNS endpoints to build this solution.

GET

/v1/security/headersTry in Playground

Security Headers: Audit CSP, HSTS, X-Frame-Options, and other headers

GET

/v1/domain/sslTry in Playground

SSL Certificates: Verify certificate validity and issuer

GET

/v1/dns/dnssecTry in Playground

DNSSEC Check: Cryptographic DNSSEC validation: DS digest verification (RFC 4034 §5.1.4), RRSIG signature verification (RFC 5702 / 6605 / 8080), expiration tracking

GET

/v1/dns/caaTry in Playground

CAA Records: CAA policy plus CT-log cross-reference (RFC 6962) — detects certificates issued by CAs not in the CAA allowlist

GET

/v1/domain/hstsTry in Playground

HSTS Check: Verify HSTS policy and preload status

GET

/v1/score/securityTry in Playground

Security Score: Get an overall security grade with breakdown

Results You Can Achieve

Audit-evidence collection in a single API call

Replace the SOC 2 / ISO 27001 evidence pass that typically takes a day per scope with a programmatic header-and-config snapshot dated for auditor review.

Cryptographic DNSSEC validation, not just record-presence

The DNSSEC endpoint computes the DS digest from your published DNSKEY and verifies RRSIG signatures locally — the same math a validating resolver does. Surfaces the exact failure mode (e.g., "DS at registrar doesn't match KSK", "RRSIG covering DNSKEY failed verification") so remediation is concrete.

CAA + Certificate Transparency cross-reference

Most monitoring tools either check CAA or watch CT, not both. EdgeDNS detects when a domain's published CAA allows only one CA but CT logs show issuance by a different CA — the exact misissuance scenario CAA was designed to catch.

Daily continuous-compliance re-scans

Catch a regression the same day it ships, not the week before the audit. Pro runs daily; Enterprise on the hour.

Up to unlimited score history on Enterprise

90-day retention on Developer, 360-day on Pro, unlimited on Enterprise — long enough to chart annual posture trending without an external SIEM.

Code Example

Generate security audit report

javascript

const domains = ['app.example.com', 'api.example.com', 'www.example.com'];
const headers = { 'Authorization': 'Bearer YOUR_API_KEY' };

const auditResults = await Promise.all(
  domains.map(async (domain) => {
    const [secHeaders, ssl, dnssec, score] = await Promise.all([
      fetch(`https://api.edgedns.dev/v1/security/headers?url=https://${domain}`, { headers }),
      fetch(`https://api.edgedns.dev/v1/domain/ssl?domain=${domain}`, { headers }),
      fetch(`https://api.edgedns.dev/v1/dns/dnssec?domain=${domain}`, { headers }),
      fetch(`https://api.edgedns.dev/v1/score/security?domain=${domain}`, { headers }),
    ]);
    return { domain, secHeaders, ssl, dnssec, score };
  })
);