The State of Web Security 2026

TL;DR

• 67% of sites have no Content-Security-Policy. The single most effective XSS defense is missing on two out of three websites.
• Only 15% of sites earn a grade of A or B. 62% earn a D or F — meaning 5+ critical findings on the default configuration.
• 44% ship JavaScript libraries with known CVEs — jQuery < 3.5, Bootstrap < 4.6, and Angular 1.x are the most common offenders.
• 3% of sites expose their .env file — leaking API keys, database passwords, and third-party secrets.

Key Findings at a Glance

Methodology

Between January and April 2026, ismycodesafe.com scanned 500 publicly accessible websites using 160+ automated passive checks. Each scan verified SSL/TLS, HTTP security headers, cookie flags, DNS security (SPF/DMARC/DKIM), open ports, exposed files, technology stack, and CVE matches against NVD and OSV.

All scans are non-intrusive — no exploitation, no authentication bypass, no brute force. Each site received an A–F security grade based on the weighted aggregate of its findings.

The underlying scanner is available to anyone at ismycodesafe.com — you can reproduce these checks on your own site in 30 seconds.

Security Grade Distribution

Only 15% of sites scored above average. The distribution skews heavily toward D and F grades — largely driven by missing security headers and outdated JavaScript libraries.

HTTP Security Headers

Security headers are the cheapest, fastest improvement you can make. Adding CSP, HSTS, and X-Frame-Options takes under 15 minutes per site yet closes the largest part of the attack surface for XSS and clickjacking. Despite this, adoption is still shockingly low.

Build your own CSP in 2 minutes with our free CSP generator, or audit any site with the header checker.

TLS / SSL Configuration

Good news: 89% of sites use TLS 1.2 or 1.3 correctly. But 9% still allow TLS 1.0 or 1.1 — both deprecated in 2020 by the IETF and forbidden in PCI DSS 4.0.

2% have expired certificates, the vast majority on forgotten subdomains rather than the main site. Let's Encrypt's 90-day cycle with automated renewal would fix this entirely.

Sensitive File Exposure

File exposure is the most catastrophic finding in our dataset. A single leaked .env file gives attackers complete access to the application.

• 3% expose a publicly readable .env file
• 5% expose the .git directory
• 14% have an unauthenticated admin panel accessible

Root causes: webserver document roots set to the project root instead of /public, missing dotfile denial rules in Nginx/Apache, and CI/CD pipelines that deploy the entire repo.

JavaScript Libraries with Known CVEs

44% of scanned sites include at least one JavaScript library with a known CVE. The most common offenders:

• jQuery < 3.5 (XSS via htmlPrefilter)
• Bootstrap < 4.6 (tooltip / popover XSS)
• Angular 1.x (end of life since 2022)
• Vue 2 without security patches
• Lodash < 4.17.21 (prototype pollution)

How to Improve Your Grade

1. Add Content-Security-Policy and HSTS. Start with our free CSP generator.
2. Disable TLS 1.0 and 1.1 in your webserver configuration. Modern browsers no longer connect to them anyway.
3. Remove .env, .git, and backup files from webroot. Deploy only /public or equivalent.
4. Add Secure, HttpOnly, and SameSite=Lax to every session cookie.
5. Replace Access-Control-Allow-Origin: * with an explicit allowlist of trusted origins.
6. Upgrade outdated JavaScript libraries. Run npm audit in CI and block merges on high-severity findings.