← All insights
Research

Most common security-header misconfigurations

Updated July 11, 2026. Based on 3,153 unique hostnames scanned by SecureMonk users between March 7, 2026 and July 11, 2026, latest scan per host.

HTTP security headers are the cheapest defensive layer on a website. Each one is a single line in a server config, costs nothing, and quietly closes a class of attacks. Adoption rates are far lower than the cost would predict. Here is what the data shows.

The ranking

HeaderHosts missing it% of sites
Content-Security-Policy1,96762.4%
X-Frame-Options1,56049.5%
X-Content-Type-Options1,49747.5%
Strict-Transport-Security1,39344.2%

These are the four headers our scanner penalizes against the overall score. Other headers (Referrer-Policy, Permissions-Policy, the Cross-Origin family) are also tracked but treated as recommendations rather than required, so we exclude them from the ranking above.

CSP leads the ranking for a reason

62.4% of sites do not set a Content-Security-Policy header. CSP is the most powerful header in the list, and also the most complex. A correct policy requires knowing every domain your site loads scripts, styles, fonts, and images from. For a single-page app with third-party analytics, embedded videos, and a payment widget, that list is long and changes when the marketing team adds a new tool. Many teams set CSP to report-only mode during development and never promote it to enforcement.

The fix path is to start with Content-Security-Policy-Report-Only and a minimal policy, collect real-world reports for a week, refine the policy, then switch to enforcement.

X-Frame-Options is mostly forgotten

49.5% of sites do not set X-Frame-Options or its modern replacement ( frame-ancestors in CSP). The result is that the site can be loaded in a hidden iframe on an attacker-controlled page, which is the entire mechanism behind clickjacking. The fix is one line.

X-Content-Type-Options is the easiest possible win

The only valid value for X-Content-Type-Options is nosniff. There are no edge cases, no risk of breaking the site, no maintenance. 47.5% of sites do not set it. This is the easiest header in the entire list to add.

HSTS adoption is climbing but not there yet

44.2% of sites still lack a Strict-Transport-Security header. Without HSTS, the first request from a new visitor can be intercepted before it is redirected to HTTPS. Modern HSTS configs also support browser preloading via hstspreload.org, which closes the first-visit gap entirely.

Why this gap persists

Three reasons keep showing up:

  • Default platform configs do not include these headers. A vanilla nginx, IIS, or Apache install ships without them.
  • Teams worry about side effects. CSP is the only one of the four where that fear is justified. The other three are nearly side-effect free.
  • Nobody routinely audits for them. Headers are invisible to end users, so they do not show up in QA.

Methodology

Same dataset as the other insights pieces. 3,153 unique hostnames scanned through SecureMonk between 2026-03-07 and 2026-07-11, latest scan per host. We only count a header as missing when our scanner returned status absent on a header that affects the overall score. Headers tracked as informational only (Referrer-Policy, Permissions-Policy, the Cross-Origin family) are excluded from the ranking but visible in individual scan results.