Firstly I should say thanks for having a separate forum for Content Delivery API.
We are using Content Delivery API and our client security team asked us about the security protocol being used in the API (what kind of encryption does EpiServer use, is it TLS 1.0 / TLS1.2 etc)
Unless I've misunderstood what you're after, that sounds more like an infrastructure question than an Episerver one as the https protocol version is negotiated between the browser and the server, not the application. If Episerver handles your infrastructure via DXP, SSL is handled through CloudFlare who are pretty on-the-ball when it comes to the latest updates in security though what's supported will depend on configuration. In some configurations you can disable older SSL/TLS protocols which have known security issues leaving just TLS 1.2 and 1.3 (as required for certain levels of PCI compliance) but it's something you'd probably need to check with Episerver support. If you're hosting it yourself, it will entirely depend on how the servers/CDN have been configured.
Thanks for the explanation Paul. We are using DXP hosting. My thought was same that it would probably be Cloudfare where encryption is handled. I thought however it would be better to see if anyone had further information on it.