// security audit API

Website Security Audit API — Tech Stack, SSL, Headers

You want to check a site's security posture — maybe for a client report, a competitor review, or an automated monitoring pipeline. Doing it manually means four separate tools, a spreadsheet, and 20 minutes. Here it's one POST call.

What a security audit actually checks

A useful security audit covers more than just "is SSL on?" Here's what Slopshop's audit template checks, in a single request:

SSL Certificate

Valid and not expired
Days until expiry
Issuer and chain
TLS version (1.2 / 1.3)
Certificate transparency

HTTP Security Headers

Strict-Transport-Security (HSTS)
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy

Tech Stack

Server software and version
CDN / proxy detection
Framework fingerprinting
CMS detection
Version disclosure checks

Performance + Reachability

Response time (ms)
HTTP status code
Redirect chain
IPv6 support
DNSSEC status

The API call

Run a security auditcurl

curl -X POST https://slopshop.gg/v1/agent/template/security-audit \
  -H "Authorization: Bearer demo_key_slopshop" \
  -H "Content-Type: application/json" \
  -d '{"domain": "stripe.com"}'

Real example output — stripe.com

stripe.com audit responsejson

{
  "ok": true,
  "domain": "stripe.com",
  "score": 94,
  "grade": "A",

  "ssl": {
    "valid": true,
    "issuer": "DigiCert Inc",
    "expires": "2026-08-14",
    "days_remaining": 141,
    "tls_version": "TLSv1.3",
    "grade": "A+"
  },

  "headers": {
    "strict_transport_security": {
      "present": true,
      "value": "max-age=63072000; includeSubDomains; preload"
    },
    "content_security_policy": {
      "present": true,
      "value": "default-src 'self' ..."
    },
    "x_frame_options": {
      "present": true,
      "value": "SAMEORIGIN"
    },
    "x_content_type_options": {
      "present": true,
      "value": "nosniff"
    },
    "referrer_policy": {
      "present": true,
      "value": "strict-origin-when-cross-origin"
    },
    "permissions_policy": {
      "present": true
    }
  },

  "tech_stack": {
    "server": "nginx",
    "cdn": "Cloudflare",
    "version_disclosed": false,
    "fingerprint": ["nginx", "Cloudflare", "Next.js"]
  },

  "performance": {
    "response_time_ms": 87,
    "status_code": 200,
    "redirects": 0,
    "ipv6": true
  },

  "findings": [],
  "credits_used": 23,
  "_engine": "real"
}

Score breakdown

stripe.com security score

SSL / TLS25 / 25

HSTS20 / 20

Security headers30 / 30

Version disclosure10 / 10

Response time9 / 10

Total94 / 100 · Grade A

Practical uses

Automated monitoring — schedule daily audits, alert when SSL expiry falls below 30 days or a header goes missing
Client reports — generate security posture data for a site before handing it off
Competitive research — understand what stack a site is running without manual inspection
CI/CD gate — run a post-deploy security check and fail the pipeline if headers are misconfigured
Agent-driven auditing — give your agent a list of domains, run batch audits, store results to memory

Batch audits

To audit a list of domains, use the batch endpoint. Pass an array of domains, get an array of results. Each domain costs 23 credits.

Batch audit — multiple domainscurl

curl -X POST https://slopshop.gg/v1/agent/template/security-audit/batch \
  -H "Authorization: Bearer demo_key_slopshop" \
  -d '{
    "domains": ["github.com", "vercel.com", "railway.app"],
    "include_findings": true
  }'

# Returns an array of audit results.
# Total: 3 domains × 23 credits = 69 credits.

Pricing

Security audits cost 23 credits per domain. You get 500 free credits on signup — that's 86 full audits before you pay anything. After that, 10,000 credits for $9. See full pricing.

API Docs Browse All Tools Getting Started Pricing Agent Tools

Run your first audit

23 credits per audit. 500 free on signup. Takes about 3 seconds.

$ npm install -g slopshop
$ slopshop signup
$ slopshop audit yourdomain.com
✓ Audit complete. Score: 87 / 100

Get Started Free API Reference