We scanned over 10,000 of the world’s most-visited websites during February 2026 and recorded every security header in their HTTP responses. The goal: measure how widely the web has adopted CSP, HSTS, and other browser security mechanisms that are supposed to be standard practice.
The short version? Adoption is uneven. Basic headers like X-Content-Type-Options are deployed on most major sites. Content-Security-Policy — the single most impactful defense against XSS — still lags behind.
The OWASP Secure Headers Project ranks Content-Security-Policy and Strict-Transport-Security among the most critical HTTP response headers for defending against injection and man-in-the-middle attacks. Mozilla built the HTTP Observatory specifically to measure these headers and push the web toward broader adoption. Our study uses an Observatory-compatible scoring methodology to see where things stand in 2026.
Key findings
Overall adoption rates
How common is each security header across the top 10,000 websites? This chart shows the percentage of successfully scanned sites that return each header in their HTTP response.
The gap between the most-adopted header and the least-adopted tells the story. Basic headers that have been around for over a decade see broad deployment. Newer cross-origin isolation headers remain rare, which reflects the complexity of deploying them without breaking existing functionality.
CSP deep dive
Content-Security-Policy is the most complex and most powerful security header. Among sites that do deploy CSP, how are they configuring it?
The unsafe-inline number is the standout finding here. A large share of sites that bother deploying CSP then undermine it by allowing inline scripts. This is often a pragmatic concession — retrofitting CSP onto an existing codebase with inline event handlers and script blocks takes real engineering effort. But it reduces CSP from a strong XSS defense to a partial one.
Nonce-based and strict-dynamic approaches represent the modern best practice, but adoption of these techniques remains limited even among sites that have CSP.
HSTS analysis
Strict-Transport-Security tells browsers to always use HTTPS. But the devil is in the directives: a short max-age, missing includeSubDomains, or absent preload flag all weaken the protection.
The preload directive is worth watching. HSTS preloading submits the domain to browser preload lists, meaning the very first visit uses HTTPS — no downgrade window at all. It requires a max-age of at least one year and includeSubDomains to be present.
Grade distribution
Each site earns an Observatory-compatible score starting from 100, with modifiers applied per security test. The final score maps to a 13-point grade scale.
Adoption by site rank
Do higher-ranked (more popular) websites implement more security headers? We broke the results into rank tiers to find out.
2023 vs 2026: has the web gotten safer?
In 2024, Ruge et al. published a study scanning 3,195 globally popular websites using Mozilla Observatory. Their findings paint a bleak picture of the web’s security posture in late 2023. How does our 2026 scan of 10,000 sites compare?
The 2023 study found an average Observatory score of just 26.21 and a zero-score rate of 32.71% — meaning nearly one-third of websites had no security headers at all. The question is whether two years of browser vendor pressure, framework defaults, and CDN improvements have moved the needle.
Information leakage
Beyond missing security headers, we also checked for headers that reveal implementation details an attacker can use for reconnaissance.
Related Research
Curious how the open-source tools behind these security headers are doing? We analyzed GitHub data for 65 AppSec projects — health scores, star counts, contributor trends, and at-risk projects.
Read: State of Open Source AppSec Tools 2026 →Check Your Own Headers
Want to see how your site scores? Our free Security Headers Checker runs the same Observatory-compatible tests used in this study — with full scoring and remediation guidance.
Methodology
Full transparency on how we collected and analyzed this data.
Data source. The Tranco Top Sites list, a research-grade domain ranking that aggregates data from multiple ranking providers. We used the top 10,000 domains.
Collection method. For each domain, we sent an HTTPS HEAD request with a 10-second timeout and recorded all HTTP response headers. Requests followed redirects and used a 500ms delay between sites to avoid overwhelming any single provider.
Scan date. February 2026.
Success rate. Not all 10,000 domains respond to HEAD requests. Some are infrastructure domains (DNS providers, CDN backends), others block automated requests, and some simply time out. Our analysis uses only sites that returned a valid HTTP response.
Headers tracked:
- Scored (10 headers): Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Permissions-Policy, Referrer-Policy, X-XSS-Protection, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Resource-Policy
- Information leakage: Server, X-Powered-By, Content-Security-Policy-Report-Only
CSP parsing. For sites with a Content-Security-Policy header, we parsed individual directives and checked for the presence of default-src, script-src, unsafe-inline, unsafe-eval, nonce values, and strict-dynamic. Report-only CSP was tracked separately.
HSTS parsing. For sites with Strict-Transport-Security, we extracted the max-age value and checked for includeSubDomains and preload directives.
Grading system. We use a scoring method compatible with the Mozilla HTTP Observatory. Each site starts at a base score of 100. Individual tests apply modifiers:
| Test | Penalty range | Bonus range |
|---|---|---|
| CSP | -25 (missing/misconfigured) | +5 to +10 (strong policy) |
| HSTS | -20 (missing) to -10 (short max-age) | +5 (preloaded) |
| X-Frame-Options | -20 (missing) | +5 (via CSP frame-ancestors) |
| X-Content-Type-Options | -5 (missing) | 0 |
| Referrer-Policy | -5 (unsafe) | +5 (strict) |
| X-XSS-Protection | -5 (invalid) | 0 |
| Redirection | -20 (no HTTPS redirect) | 0 |
Bonus points are only added if the base score (before bonuses) is at least 90, following the Observatory’s extra-credit gating rule. The final score maps to a 13-point grade scale: A+ (100+), A (90-99), A- (85-89), B+ (80-84), B (70-79), B- (65-69), C+ (60-64), C (50-59), C- (45-49), D+ (40-44), D (30-39), D- (25-29), F (0-24).
Tests not included. Three Observatory tests require a full GET request with HTML body and cookie analysis: Cookies, Subresource Integrity (SRI), and CORS. Our batch scanner uses HEAD requests and assigns these tests a neutral score of 0. This means our scores are generally more favorable than a full Observatory scan — sites that mishandle cookies or lack SRI would score lower in a complete assessment.
2023 baseline. The comparison data comes from Ruge et al. (2024), who scanned 3,195 websites using the full Mozilla Observatory in late 2023. Their study includes cookie and SRI scoring, so direct grade comparisons should account for this methodological difference.
Limitations.
- HEAD requests may return different headers than GET requests on some servers. A small number of sites may be miscounted due to this difference.
- We scanned only the root domain (e.g.,
https://example.com), not subdomains or specific paths. Header configurations can vary across different endpoints on the same domain. - The Tranco list skews toward popular global sites and underrepresents smaller regional websites. Results should not be generalized to the entire web.
- CDN and hosting provider defaults heavily influence results. A large share of header adoption may reflect provider configuration rather than deliberate security decisions by site operators.
- Cookies, SRI, and CORS are scored as neutral (0) due to HEAD request limitations. A full Observatory scan would likely produce lower scores for many sites.
Comments
Powered by Giscus — comments are stored in GitHub Discussions.