Defaults.Exposed › Reports
The HTTP Security Header Report Card: How the Web Scores in 2026
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. Header checks are observed on responses we could reach. See how we grade.
HTTP security headers are among the cheapest defences on the web — a few lines of configuration, no cost — and the data shows they’re almost universally skipped. Across 261 million domains, only 4.03% set every core header correctly. Each header blocks a specific, real attack — clickjacking, content injection, protocol downgrade, referrer leakage — and each is missing from the large majority of sites.
The report card
Higher is better — the share of domains that set each header correctly. As of 2026-06-29:
| Header | What it stops | Domains that set it |
|---|---|---|
| HSTS (Strict-Transport-Security) | Downgrade from HTTPS to HTTP | 22.91% of HTTPS sites |
| Content-Security-Policy | Cross-site scripting / content injection | 8.87% |
| X-Frame-Options / frame-ancestors | Clickjacking | 14.48% |
| X-Content-Type-Options (nosniff) | MIME-type confusion attacks | 16.65% |
| Referrer-Policy | Leaking visitor URLs to third parties | 10.10% |
| All of the above (“secure by default”) | The full set | 4.03% |
Content-Security-Policy — the strongest defence against cross-site scripting — is the headline failure: only 8.87% of domains ship an effective one. And just 4.03% get the whole set right.
Why so low, when they’re free?
Headers aren’t installed by default by most servers and platforms, so they only appear when someone deliberately adds them. There’s no scary warning for missing them — unlike an expired certificate, a missing header is invisible to the site owner and to visitors, right up until it’s exploited. That invisibility is exactly why adoption sits in the single digits for the headers that matter most.
Which headers should I prioritise?
For most sites, in order:
- HSTS — once you’re on HTTPS, lock it in. Fix HSTS.
- Clickjacking protection — a one-line header that stops your pages being framed. Fix clickjacking.
- X-Content-Type-Options: nosniff and Referrer-Policy — trivial to add. MIME-sniffing · Referrer-Policy.
- Content-Security-Policy — the most powerful and the most work; worth doing carefully. Fix CSP.
Frequently asked questions
What are HTTP security headers? Instructions a server sends with each page telling the browser to enforce protections — block framing, refuse mixed content, restrict scripts. They’re free configuration, not software.
Why does only 4.03% of the web set them all? Because they’re opt-in and invisible. Nothing breaks or warns when they’re missing, so most sites never add them — until an attack exploits the gap.
Which is the most important header? HSTS and a Content-Security-Policy give the most protection. CSP is the strongest defence against cross-site scripting but takes the most care to deploy.
How do I see which headers my site is missing? Run a free, private check (below) — it lists each header and whether you set it.
Check your security headers free
See your full header report card — and exactly what to add — privately and owner-only.
Check your domain → · Fix CSP → · Fix HSTS → · How we grade → · Aggregate data only. Data stored and processed in the EU.