Security headers, scores and vulnerability analysis across 765,536 websites
| Score Range | Websites | Percentage | Distribution |
|---|---|---|---|
| 0-20 | 488,704 | 63.9% | |
| 21-40 | 86,671 | 11.3% | |
| 41-60 | 59,217 | 7.7% | |
| 61-80 | 96,242 | 12.6% | |
| 81-100 | 34,091 | 4.5% |
| Security Header | Sites | Adoption Rate |
|---|---|---|
| Content-Security-Policy | 147,306 | 19.2% |
| Strict-Transport-Security | 211,992 | 27.7% |
| X-Frame-Options | 237,448 | 31.0% |
| X-Content-Type-Options | 230,965 | 30.2% |
The average website security score across 765,536 analyzed domains is 23.9/100, indicating significant room for improvement in web security practices. Only 4.5% of websites achieve an excellent security score above 80.
Content Security Policy (CSP) remains one of the least adopted security headers at 19.2%, despite being one of the most effective defenses against cross-site scripting (XSS) attacks. This low adoption rate suggests that many developers find CSP complex to implement correctly.
X-Content-Type-Options ("nosniff") has the highest adoption rate among security headers at 30.2%, likely due to its simplicity — it requires just a single header value and prevents MIME-type sniffing attacks.
These findings underscore the gap between security best practices and real-world implementation. While the tools and knowledge exist to secure websites, many organizations still lack the resources or awareness to implement comprehensive security measures.