The Numbers
We scanned 111 global sites and 106 sites popular in Sweden, grading each on a 100-point scale across seven standard security headers.
In both datasets, roughly a third of sites fail outright, and the average hovers just below 50. Fewer than 10% earn an A or higher.
Surprising Findings
LastPass gets an F. Bitwarden gets an A.
Of all the results, this one stands out. LastPass.com — a password manager whose entire value proposition is security — scores 0 out of 100. Zero security headers. Not a single one. Meanwhile, competitor Bitwarden.com scores 83/100 (A). If you are in the business of selling trust, your own homepage is a strange place to cut corners.
Amazon and Microsoft: 0 out of 100
The two largest cloud infrastructure providers on earth — companies that literally sell security services to other companies — both score zero on their own marketing sites. Amazon.com: 0/100. Microsoft.com: 0/100. To be fair, this measures their public-facing homepages, not AWS or Azure dashboards. But the irony is hard to miss.
Vercel scores 0. The sites it hosts do better.
Vercel, the platform behind millions of Next.js deployments, scores 0/100 on its own homepage. It is worth noting that Vercel makes it easy for its customers to configure security headers. The company apparently does not follow its own documentation.
The crypto exchange with no headers
Binance.com scores 0/100. For a platform that processes billions of dollars in transactions, deploying zero security headers on the homepage is a choice.
Streaming services: the worst category
Disney+, Hulu, and Netflix collectively illustrate the state of streaming: Disney+ (0/100), Hulu (0/100), and Netflix (53/100, grade D). Spotify also gets a D at 48/100. Of the major streaming platforms scanned, not one managed a passing grade.
The developer tool gap
Sites developers trust with their code and infrastructure show a wide spread. GitHub (B, 75/100) and OpenAI (B, 70/100) are decent. Stack Overflow gets a D (47/100). Slack gets a D (47/100). Zoom gets an F (15/100).
PyPI stands alone at the top
The single A+ in the global dataset is pypi.org at 97/100 — the Python Package Index, a community-run open source project. It outperforms every trillion-dollar company in the scan.
Sweden vs. Global
Sweden's results are remarkably similar to the global averages, with a few notable divergences.
| Metric | Global | Sweden |
|---|---|---|
| Average score | 48.5 | 49.4 |
| F-grade rate | 36% | 32% |
| A or A+ rate | 10% | 12% |
| CSP adoption | 53% | 61% |
| Referrer-Policy adoption | 37% | 61% |
Swedish sites edge ahead on most header categories, with the largest gap in Referrer-Policy — adopted by 61% of Swedish sites versus just 37% globally.
Swedish standouts
Aftonbladet.se, Sweden's largest tabloid, scores A+ (92/100) — outperforming Google, Apple, and every Big Tech company in the global scan. Sweden's healthcare portal 1177.se scores A (87/100), and the national tax authority Skatteverket.se gets a B (70/100).
On the other end: H&M (hm.com) scores 0/100, as does Elgiganten (Sweden's largest electronics retailer), national radio broadcaster Sveriges Radio, and bookstores Adlibris and Bokus.
Swedish banks are a mixed bag. Swedbank (B, 77/100) and SEB (B, 78/100) do well. Handelsbanken (B, 75/100) is close behind. Nordea lags at C (63/100).
Header-by-Header Adoption
HSTS is the one bright spot — over 80% adoption in both datasets. After that, it drops fast. Permissions-Policy, arguably the most important modern header for controlling browser feature access, is deployed on fewer than 30% of sites in both groups.
Cross-Origin and Reporting Headers
| Header | Global | Sweden |
|---|---|---|
Cross-Origin-Opener-Policy | 20% | 21% |
Cross-Origin-Embedder-Policy | 11% | 14% |
Cross-Origin-Resource-Policy | 12% | 17% |
NEL (Network Error Logging) | 16% | 7% |
Report-To | 24% | 11% |
Cross-origin isolation headers remain rare across the board. The one area where global sites significantly outperform Swedish ones is in reporting infrastructure (Report-To at 24% vs. 11%), likely driven by large US platforms that have invested in centralized error-reporting pipelines.
Server Information Disclosure
An easy win that most sites skip: 90 out of 109 global sites and 63 out of 99 Swedish sites expose their Server header, telling attackers exactly what software is running behind the scenes.
The most common Server values globally: Cloudflare (28 sites), nginx (10), Envoy (6), AkamaiNetStorage (3), CloudFront (3).
Top and Bottom Performers
Global — Best
| Domain | Grade | Score |
|---|---|---|
| pypi.org | A+ | 97 |
| npmjs.com | A | 88 |
| theguardian.com | A | 88 |
| coinbase.com | A | 88 |
| nordvpn.com | A | 88 |
| medium.com | A | 88 |
| letsencrypt.org | A | 83 |
| bitwarden.com | A | 83 |
| namecheap.com | A | 83 |
| discord.com | A | 82 |
Global — Worst
| Domain | Grade | Score |
|---|---|---|
| amazon.com | F | 0 |
| etsy.com | F | 0 |
| vercel.com | F | 0 |
| microsoft.com | F | 0 |
| airtable.com | F | 0 |
| binance.com | F | 0 |
| hulu.com | F | 0 |
| disneyplus.com | F | 0 |
| lastpass.com | F | 0 |
| khanacademy.org | F | 0 |
Sweden — Best
| Domain | Grade | Score |
|---|---|---|
| king.com | A+ | 95 |
| aftonbladet.se | A+ | 92 |
| inet.se | A | 88 |
| 1177.se | A | 87 |
| skandia.se | A | 85 |
| folkhalsomyndigheten.se | A | 85 |
| svd.se | A | 85 |
| hemkop.se | A | 82 |
| systembolaget.se | A | 82 |
| boozt.com | A | 81 |
Sweden — Worst
| Domain | Grade | Score |
|---|---|---|
| sverigesradio.se | F | 0 |
| kronansapotek.se | F | 0 |
| hm.com | F | 0 |
| elgiganten.se | F | 0 |
| netonnet.se | F | 0 |
| adlibris.com | F | 0 |
| bokus.com | F | 0 |
| nakd.com | F | 0 |
| breakit.se | F | 0 |
| gp.se | F | 0 |
Methodology
Each site was scanned by fetching its HTTPS homepage (with a www. fallback) and inspecting the response headers after following redirects. Seven headers were scored on a weighted 100-point scale:
| Header | Weight |
|---|---|
Strict-Transport-Security | 25% |
Content-Security-Policy | 25% |
X-Content-Type-Options | 15% |
X-Frame-Options | 10% |
Permissions-Policy | 10% |
Referrer-Policy | 10% |
X-XSS-Protection | 5% |
Grade thresholds: A+ ≥ 90, A ≥ 80, B ≥ 70, C ≥ 55, D ≥ 40, F < 40. Cross-origin isolation and reporting headers were tracked separately and not included in the score. Two global sites and seven Swedish sites returned connection errors and were excluded.
Conclusion
The state of HTTP security headers in 2026 is, bluntly, poor. A third of the biggest sites on the internet fail a basic check that takes minutes to fix. The headers we measured are not exotic — they are documented in every web security guide, supported by every major browser, and free to deploy.
HSTS has crossed the 80% adoption threshold, which is progress. But Content-Security-Policy sits at just 53% globally, and Permissions-Policy — which controls access to cameras, microphones, and geolocation — is deployed on fewer than 3 in 10 sites.
The pattern that emerges is not about resources. PyPI, a volunteer-run project, tops the chart. Amazon, a company worth $2 trillion, sits at the bottom. The difference is prioritization: teams that treat security headers as part of their deployment checklist get them right. Teams that do not, do not.
If you manage a website, run your own headers through a scanner. The fixes are usually a few lines of server configuration, and the payoff is real: protection against clickjacking, XSS, MIME sniffing, and a range of injection attacks that browsers are ready to block — if you ask them to.