Developer API

Website Security Scanner API

Scan any domain's security posture — HTTPS, HSTS, CSP, SPF, DMARC, cookie flags, and more — and get a letter grade, a 0–100 score, and a structured list of findings back as JSON. One authenticated POST request.

Endpoint

POST https://nesqualtech.com/api/v1/security-scan

Send a JSON body with a single domain field. The scanner performs live, read-only DNS and HTTPS checks against that domain. Only scan domains you own or are authorized to test. The endpoint accepts cross-origin requests (CORS), so it can be called directly from browsers and agents.

Authentication

Every request must include your API key, either as a bearer token or an x-api-key header:

Authorization: Bearer nsk_your_api_key
# — or —
x-api-key: nsk_your_api_key

Keys start with nsk_ and are created and revoked from your dashboard settings. Keep them secret — treat a key like a password. A missing or invalid key returns 401.

Rate limits

Requests are rate limited per API key. When you exceed the limit the API responds with 429 Too Many Requests and a Retry-After header. Successful responses include X-RateLimit-Remaining and X-RateLimit-Reset headers so you can pace your requests.

Example request

curl -X POST https://nesqualtech.com/api/v1/security-scan \
  -H "Authorization: Bearer nsk_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"domain": "example.com"}'

Example response

{
  "domain": "example.com",
  "grade": "B",
  "score": 82,
  "findings": [
    {
      "id": "https",
      "title": "HTTPS enforced",
      "category": "transport",
      "status": "pass",
      "detail": "Site redirects HTTP to HTTPS."
    },
    {
      "id": "hsts",
      "title": "HSTS header",
      "category": "transport",
      "status": "warn",
      "detail": "Strict-Transport-Security missing max-age."
    }
  ],
  "resultUrl": "https://nesqualtech.com/security-scan/ab12cd34ef56"
}
  • grade — overall letter grade, A through F.
  • score — numeric score from 0 to 100.
  • findings — array of individual checks, each with an id, title, category, and status (pass, warn, or fail).
  • resultUrl — link to a shareable, human-readable result page for this scan.

Error responses

StatusMeaning
400Missing or invalid `domain`, or invalid JSON body.
401Missing, invalid, or revoked API key.
429Rate limit exceeded — retry after the window resets.
500Scan failed unexpectedly — safe to retry.

Ready to integrate?

Generate an API key and start scanning in minutes.

Get your API key

Privacy and cookie preferences

We use strictly necessary cookies to run the site. Analytics, marketing, and AI assistant telemetry are optional and disabled until you choose. You can update consent any time in Cookie Settings.

Some infrastructure cookies, such as load balancer routing cookies, are essential for service delivery. Details: Cookie Policy