The latest articles on Forem by Richard Angapin (@richard_angapin). https://forem.com/richard_angapin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3565539%2Fa4c7965f-c6c1-4656-8843-db14dfbd1054.jpg https://forem.com/richard_angapin en Richard Angapin Wed, 15 Oct 2025 01:32:41 +0000 https://forem.com/richard_angapin/i-scanned-50-web-agency-websites-most-failed-basic-security-pjb https://forem.com/richard_angapin/i-scanned-50-web-agency-websites-most-failed-basic-security-pjb <p>Web agencies sell expertise in <strong>performance</strong>, <strong>UX</strong>, and <strong>SEO</strong>, but how many actually implement basic <strong>security headers</strong>? I decided to find out. I randomly picked 50 agency websites from LinkedIn and audited each one using <a href="https://securityheaders.com/" rel="noopener noreferrer">SecurityHeaders.com</a>. The results?</p> <h2> The Security Report Card </h2> <p>Here's how the grades broke down:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Grade</th> <th>% of Agencies</th> </tr> </thead> <tbody> <tr> <td>A</td> <td>8%</td> </tr> <tr> <td>B</td> <td>4%</td> </tr> <tr> <td>C</td> <td>6%</td> </tr> <tr> <td>D</td> <td>30%</td> </tr> <tr> <td><strong>F</strong></td> <td><strong>52%</strong></td> </tr> </tbody> </table></div> <p>Over half scored an <strong>F</strong>, and <strong>nearly 80%</strong> earned a <strong>D or worse</strong>. These grades reflect missing security headers that have been best practices for years. The pattern is interesting: agencies excel at optimizing <em>what users can see</em> but often overlook <em>security headers that browsers check</em>.</p> <h2> What's Actually Missing </h2> <p>These aren't experimental features. They're established security headers that have been recommended for years.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Header</th> <th>Agencies Missing</th> </tr> </thead> <tbody> <tr> <td>X-Frame-Options</td> <td>86%</td> </tr> <tr> <td>Strict-Transport-Security</td> <td>82%</td> </tr> <tr> <td>X-Content-Type-Options</td> <td>80%</td> </tr> <tr> <td>Referrer-Policy</td> <td>74%</td> </tr> <tr> <td>Content-Security-Policy</td> <td>70%</td> </tr> </tbody> </table></div> <h3> What these headers do: </h3> <ul> <li>X-Frame-Options prevents your site from being embedded in iframes on other domains</li> <li>Strict-Transport-Security forces browsers to use HTTPS connections</li> <li>X-Content-Type-Options stops browsers from incorrectly interpreting file types</li> <li>Referrer-Policy controls what information is shared when users click links</li> <li>Content-Security-Policy helps prevent cross-site scripting and other code injection attacks</li> </ul> <p>While missing these headers doesn't guarantee a security breach, implementing them significantly improves your security posture.</p> <h2> Why These Get Missed </h2> <p>It's rarely deliberate. In most teams, it's simply a <strong>process blind spot</strong>:</p> <ul> <li>Headers are invisible to clients</li> <li>They don't affect visuals or performance metrics</li> <li>Teams move fast and reuse old deployment templates</li> <li>Manual checks are tedious and easy to skip</li> <li>Once configured, they're rarely revisited</li> </ul> <p>Security headers often get documented but not continuously monitored.</p> <h2> The Quick Win </h2> <p>Want to improve your security grade significantly? Add these to your Nginx config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">add_header</span> <span class="s">X-Frame-Options</span> <span class="s">"SAMEORIGIN"</span> <span class="s">always</span><span class="p">;</span> <span class="k">add_header</span> <span class="s">Strict-Transport-Security</span> <span class="s">"max-age=31536000"</span> <span class="s">always</span><span class="p">;</span> <span class="k">add_header</span> <span class="s">X-Content-Type-Options</span> <span class="s">"nosniff"</span> <span class="s">always</span><span class="p">;</span> <span class="k">add_header</span> <span class="s">Referrer-Policy</span> <span class="s">"strict-origin-when-cross-origin"</span> <span class="s">always</span><span class="p">;</span> </code></pre> </div> <p>That's it. Four lines that add meaningful security layers. For additional protection, consider implementing a <strong>Content-Security-Policy</strong> using nonces or hashes (see <a href="https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html" rel="noopener noreferrer">OWASP's CSP Cheat Sheet</a>). Using Apache or .htaccess? Check <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers" rel="noopener noreferrer">MDN's HTTP Headers reference</a>.</p> <h2> The Wake-Up Call </h2> <p>If you build or maintain sites, check your own domain first, then your clients'. <a href="https://securityheaders.com/" rel="noopener noreferrer">SecurityHeaders.com</a> gives you instant results. Big thanks to Scott Helme and team for this excellent free tool!</p> <p>Manually checking 50 sites took me hours, which is exactly why I built <a href="https://achilleus.so" rel="noopener noreferrer">Achilleus</a> to facilitate security header monitoring across multiple sites.</p> <h2> And you, what's Your Security Grade? </h2> <p>Check your site and share your grade in the comments below 👇</p> webdev security development