Protego Research
Website Security Report 2026
Live, privacy-safe findings from authorized website security scans. This report publishes only aggregate counters: Protego does not store scanned domains, URLs, IP addresses, or user identities in the research dataset.
Headline findings
The baseline cohort contains 524 completed scans. It counts scan events, not unique websites, because Protego intentionally does not retain domain identifiers in the aggregate dataset.
Completed scans
Authorized scans recorded in the baseline aggregate cohort.
Missing CSP
326 scans did not return a Content-Security-Policy header.
Missing HSTS
96 scans did not return Strict-Transport-Security.
Insecure cookies detected
85 scans found at least one cookie missing Secure or HttpOnly.
Expanded 2026 cohort
A versioned cohort now records every metric with a consistent denominator. Expanded findings will appear automatically after 100 scans. Current sample: 1.
Methodology
Population: scans voluntarily initiated through the Protego Website Vulnerability Scanner. Results are a convenience sample and should not be treated as a census of the public web.
Unit of analysis: one completed scan event. A website may be scanned more than once. Protego cannot deduplicate websites without retaining identifiers, so this report consistently uses the term “scans,” not “unique websites.”
Collection: the scanner evaluates response headers, TLS behavior, cookies, HTTPS redirects, DNS controls, CORS, server disclosure, and optional deep-scan checks. Detection is configuration-oriented and does not replace authenticated penetration testing.
Privacy: research counters contain no domain, URL, IP address, account ID, or scan result document. Only aggregate numeric counters and cohort timestamps are retained.
Publication threshold: baseline header findings are published from the established aggregate counters. New metrics use the versioned cohort and remain hidden until at least 100 scans share the same denominator.
Citation
Protego, “Website Security Report 2026,” accessed 2026-07-05, https://protego.me/research/website-security-report-2026.