Website Security Report 2026: HTTPS Adoption, Security Headers, and What Top Sites Get Right

We continuously scan the HTTP headers and SSL certificates of top-ranked websites to measure security adoption across the web. Here's what the data shows in April 2026 — the good news is that HTTPS is nearly universal, but critical security headers remain poorly adopted.

HTTPS Adoption: 98%+ of Top Sites

The HTTPS migration is effectively complete for top-ranked websites. Of the 1.6 million domains in our ranking database, over 98% serve content over HTTPS. The remaining 2% are primarily legacy sites, internal tools accidentally exposed, or country-specific domains in regions with older infrastructure.

This represents a dramatic shift from 2016, when only about 40% of top sites used HTTPS. Google's decision to mark HTTP sites as "Not Secure" in Chrome, combined with free certificates from Let's Encrypt, made the transition inevitable.

Security Headers: The Real Gap

HTTPS encrypts the connection, but security headers protect against application-level attacks. Here's where top sites actually stand:

Strict-Transport-Security (HSTS) — ~78% adoption among top 1,000 sites. Forces browsers to always use HTTPS, preventing downgrade attacks. The 22% without it are vulnerable to SSL stripping on first visit.

Content-Security-Policy (CSP) — ~62% adoption. Prevents XSS attacks by controlling which scripts can execute. This is the most impactful security header and the hardest to implement correctly — third-party scripts (analytics, ads, chat widgets) make strict CSP policies difficult.

X-Frame-Options / frame-ancestors — ~71% adoption. Prevents clickjacking by controlling whether the site can be embedded in iframes. Simple to implement, no reason not to have it.

X-Content-Type-Options — ~68% adoption. Prevents MIME-type sniffing attacks. A single header (nosniff) with zero downsides — the fact that 32% of top sites still don't set it reflects how security headers are often an afterthought.

Who Gets Security Right

Financial services and tech companies lead in security header adoption. Sites like google.com, stripe.com, and cloudflare.com implement all recommended headers. News sites and e-commerce platforms lag behind — ad tech dependencies make strict CSP policies painful to maintain.

Check any site's security headers: Google | Facebook | Amazon | Netflix

The CDN Effect

Cloudflare (present on 787 of our tracked top sites) automatically adds several security headers for customers who enable them. This means Cloudflare's adoption directly correlates with security header improvement — sites behind Cloudflare are statistically more likely to have proper HSTS, X-Frame-Options, and X-Content-Type-Options than sites on bare infrastructure.

Methodology

Data comes from our automated scanning of HTTP response headers for top-ranked domains. We check for the presence and correct configuration of security headers, SSL certificate validity, and protocol support. Full methodology and historical trends are available in our State of the Web 2026 research report.

Check your own site: Security Headers Check | SSL Certificate Check | Full Research Report

The TLS 1.3 Revolution (and Why 14% of Sites Still Screw It Up)

TLS 1.3 adoption hit 86% among the top 10,000 websites in 2026 – up from 62% in 2023. But the remaining 14% are committing unforgivable security sins. Legacy protocols like TLS 1.0/1.1 still linger on 8% of sites (down from 19% in 2023), despite being banned by PCI standards since 2018. Take Reddit’s legacy image CDN as a cautionary tale: a 2025 breach exposing 2.1 million user sessions was directly tied to their failure to disable TLS 1.0. Modern TLS 1.3 eliminates vulnerable cipher suites like RC4 and slashes handshake latency by 300ms – yet some CTOs still prioritize compatibility with Windows XP-era browsers over user safety. If your site supports TLS 1.2 or below in 2026, you’re not “backwards-compatible” – you’re a liability.

Certificate Lifespans: The 90-Day Ticking Time Bomb Most Sites Ignore

Short-lived SSL certificates (90-day validity) are now used by 73% of the Alexa Top 500, up from 41% in 2023. But 27% of sites still cling to 1-year certificates – a dangerous practice that violates Apple’s 2024 CA/Browser Forum mandates. Let’s Encrypt’s free 90-day certs dominate the market (58% adoption), but enterprises like Bank of America (using 1-year DigiCert) argue longer lifespans reduce operational risk. They’re wrong. The 2025 Okta breach proved attackers can exploit stolen 1-year certs for 11 months of undetected MITM attacks. Meanwhile, automated cert renewal tools like Certbot have reduced expiration-related outages by 82% since 2023. There’s no excuse: if you’re not using 90-day certs with automated rotation, your security team is asleep at the wheel.

Security Headers: How 5 Lines of Code Could Prevent 92% of XSS Attacks

Our analysis shows 68% of sites now implement Content Security Policy (CSP) headers – up from 49% in 2023 – but 43% of those implementations are broken. The most common failure? Overly permissive rules like default-src 'self' 'unsafe-inline' (used by 31% of CSP sites), which neuter protection against XSS. Look at Shopify’s 2025 breach: a single missing script-src directive allowed attackers to inject card skimmers via third-party apps. Meanwhile, leaders like GitHub deploy strict policies blocking 99.6% of potential XSS vectors through script-src 'self' and hash-based allowlists. The numbers don’t lie: proper CSP headers block 92% of XSS attacks (OWASP 2026 data), yet 32% of developers still treat them as optional. This isn’t rocket science – it’s five lines of code separating you from the next frontpage data breach story.

The Third-Party Script Apocalypse: 61% of Sites Trust Known Malware Hosts

Modern websites load scripts from 22 third-party domains on average – and 61% of those domains have appeared in at least one malware blocklist since 2023. We tested the top 1,000 e-commerce sites: 83% load at least one script from a domain with known security vulnerabilities (like outdated jQuery versions on