Scan any domain's security posture — HTTPS, HSTS, CSP, SPF, DMARC, cookie flags, and more — and get a letter grade, a 0–100 score, and a structured list of findings back as JSON. One authenticated POST request.
POST https://nesqualtech.com/api/v1/security-scanSend a JSON body with a single domain field. The scanner performs live, read-only DNS and HTTPS checks against that domain. Only scan domains you own or are authorized to test. The endpoint accepts cross-origin requests (CORS), so it can be called directly from browsers and agents.
Every request must include your API key, either as a bearer token or an x-api-key header:
Authorization: Bearer nsk_your_api_key
# — or —
x-api-key: nsk_your_api_keyKeys start with nsk_ and are created and revoked from your dashboard settings. Keep them secret — treat a key like a password. A missing or invalid key returns 401.
Requests are rate limited per API key. When you exceed the limit the API responds with 429 Too Many Requests and a Retry-After header. Successful responses include X-RateLimit-Remaining and X-RateLimit-Reset headers so you can pace your requests.
curl -X POST https://nesqualtech.com/api/v1/security-scan \
-H "Authorization: Bearer nsk_your_api_key" \
-H "Content-Type: application/json" \
-d '{"domain": "example.com"}'{
"domain": "example.com",
"grade": "B",
"score": 82,
"findings": [
{
"id": "https",
"title": "HTTPS enforced",
"category": "transport",
"status": "pass",
"detail": "Site redirects HTTP to HTTPS."
},
{
"id": "hsts",
"title": "HSTS header",
"category": "transport",
"status": "warn",
"detail": "Strict-Transport-Security missing max-age."
}
],
"resultUrl": "https://nesqualtech.com/security-scan/ab12cd34ef56"
}grade — overall letter grade, A through F.score — numeric score from 0 to 100.findings — array of individual checks, each with an id, title, category, and status (pass, warn, or fail).resultUrl — link to a shareable, human-readable result page for this scan.| Status | Meaning |
|---|---|
| 400 | Missing or invalid `domain`, or invalid JSON body. |
| 401 | Missing, invalid, or revoked API key. |
| 429 | Rate limit exceeded — retry after the window resets. |
| 500 | Scan failed unexpectedly — safe to retry. |