Cyber Intelligence

Protego Research

Website Security Report 2026

Live, privacy-safe findings from authorized website security scans. This report publishes only aggregate counters: Protego does not store scanned domains, URLs, IP addresses, or user identities in the research dataset.

Updated dailyOpen methodologyNo domain-level data

Headline findings

The baseline cohort contains 524 completed scans. It counts scan events, not unique websites, because Protego intentionally does not retain domain identifiers in the aggregate dataset.

524

Completed scans

Authorized scans recorded in the baseline aggregate cohort.

62%

Missing CSP

326 scans did not return a Content-Security-Policy header.

18%

Missing HSTS

96 scans did not return Strict-Transport-Security.

16%

Insecure cookies detected

85 scans found at least one cookie missing Secure or HttpOnly.

Expanded 2026 cohort

A versioned cohort now records every metric with a consistent denominator. Expanded findings will appear automatically after 100 scans. Current sample: 1.

Methodology

Population: scans voluntarily initiated through the Protego Website Vulnerability Scanner. Results are a convenience sample and should not be treated as a census of the public web.

Unit of analysis: one completed scan event. A website may be scanned more than once. Protego cannot deduplicate websites without retaining identifiers, so this report consistently uses the term “scans,” not “unique websites.”

Collection: the scanner evaluates response headers, TLS behavior, cookies, HTTPS redirects, DNS controls, CORS, server disclosure, and optional deep-scan checks. Detection is configuration-oriented and does not replace authenticated penetration testing.

Privacy: research counters contain no domain, URL, IP address, account ID, or scan result document. Only aggregate numeric counters and cohort timestamps are retained.

Publication threshold: baseline header findings are published from the established aggregate counters. New metrics use the versioned cohort and remain hidden until at least 100 scans share the same denominator.

Citation

Protego, “Website Security Report 2026,” accessed 2026-07-05, https://protego.me/research/website-security-report-2026.