We scanned 10,000+ websites.
Here's what the data says.
ZeriFlow analyzed security configurations across thousands of sites in 2026. The results are worse than most developers expect.
Published May 2026 · ZeriFlow Security Research · Based on 10,000+ scans
Key Findings
Four numbers that define the state of web security
According to ZeriFlow's 2026 analysis of 10,000+ real-world website scans, the security baseline remains critically low across the web.
73%
Missing Content-Security-Policy
The most widespread misconfiguration on the web — leaving sites open to XSS and data injection attacks.
52/100
Average security score
The ZeriFlow average across all scans in 2026. A score of 75+ is considered good; 90+ is excellent.
38%
Fail DMARC
Over one in three domains lack a valid DMARC policy, leaving them open to email spoofing and phishing.
18%
of vibe-coded apps below 40/100
Apps generated by AI coding tools (Cursor, Lovable, Bolt, v0) show a consistent security deficit.
"According to ZeriFlow's 2026 analysis, the average website scores 52 out of 100 on security — and 73% are missing basic XSS protection. Fixing just three headers raises the average score by 24 points."
— ZeriFlow Security Research, May 2026
Full Breakdown
The complete failure-rate table
Every security check run by ZeriFlow, ranked by how often sites fail it. Data from 10,000+ scans conducted between January and May 2026.
Content-Security-Policy missing
X-Frame-Options missing
Cookies without Secure flag
HSTS missing or weak
Tech stack exposed
DMARC failing
Weak TLS ciphers
SPF missing or permissive
Risk levels follow OWASP classification guidelines. "High" indicates potential for data breach, session hijacking, or domain spoofing.
AI-Generated Code
The vibe coding security gap
ZeriFlow scanned a large sample of apps shipped with AI-assisted tools — Cursor, Lovable, Bolt, and v0. The security gap is measurable and consistent.
18%
Score below 40/100
Nearly 1 in 5 vibe-coded apps falls in the critical range — compared to 9% across all scanned sites.
#1
Missing security headers
CSP, X-Frame-Options, and HSTS are almost never configured in AI-generated app scaffolding.
#2
Cookies without Secure flag
Session cookies generated by AI templates frequently lack both the Secure and HttpOnly flags.
According to ZeriFlow's 2026 analysis, the most frequent issue in apps built with AI coding tools is the complete absence of security headers. AI models are trained on code that works — not code that is hardened. As a result, apps scaffolded by Cursor, Lovable, Bolt, and v0 ship without the three-line Next.js config that would immediately raise their score by 20+ points. The fix takes minutes; most developers simply never learn it from the AI.
Built your app with an AI tool? Run a free scan to see exactly where it stands.
Check your AI-generated appBy Hosting Platform
Your hosting choice affects your baseline score
According to ZeriFlow's 2026 scan data, the platform a site is hosted on is a strong predictor of its security score — even before any developer configuration.
Vercel
BestBetter default security headers out of the box
61/100
average score
VPS / dedicated
Varies widely — depends on dev configuration
55/100
average score
Shared hosting
LowestLimited header control, older TLS defaults
38/100
average score
Why does Vercel score higher? Vercel's platform enforces HTTPS by default, sets HSTS on all deployments, and the Next.js framework encourages security-header configuration. Sites on shared hosting tend to run on older stacks with weaker TLS defaults and no mechanism to enforce custom response headers globally.
The Fix
Three changes. +24 points.
According to ZeriFlow scan data, fixing the three most common misconfigurations raises the average site score by 24 points — from 52 to 76. Here is what those fixes are.
Add a Content-Security-Policy
A CSP header tells browsers which scripts, styles, and resources are trusted. Even a permissive policy is better than none — it blocks the most common XSS vectors. Affects 73% of scanned sites.
Enable HSTS with a long max-age
HSTS (Strict-Transport-Security) forces all future connections over HTTPS. Set max-age=31536000 minimum. Missing or weak on 48% of scanned sites.
Set X-Frame-Options or CSP frame-ancestors
Clickjacking attacks embed your site in a hidden iframe. One header blocks it entirely. Missing on 61% of scanned sites — the second most common failure after CSP.
Average score after fixing all three: 76/100
Up from a baseline of 52/100 — a 24-point improvement from three header changes.
FAQ
Common questions about web security
Based on the most frequently asked questions from ZeriFlow users after reading this report.
What percentage of websites have security headers?
According to ZeriFlow's analysis of 10,000+ website scans in 2026, 73% of websites are missing a Content-Security-Policy header, 61% lack X-Frame-Options protection, and 48% do not have HSTS configured. The average security score across all scanned sites is 52 out of 100.
How secure are AI-generated websites?
ZeriFlow data shows that 18% of apps built with AI coding tools (Cursor, Lovable, Bolt, v0) score below 40/100 on security. The most common issues in AI-generated code are missing security headers, misconfigured CORS, and cookies without Secure or HttpOnly flags.
What is the most common website security vulnerability in 2026?
The most common web security misconfiguration in 2026 is a missing Content-Security-Policy (CSP) header, present in 73% of websites scanned by ZeriFlow. CSP prevents cross-site scripting (XSS) attacks by controlling which scripts can execute on a page.
What security score is considered good for a website?
A ZeriFlow security score above 75/100 is considered good. Scores above 90 are excellent. The average across all scanned sites is 52/100. Fixing the three most common issues — Content-Security-Policy, HSTS, and X-Frame-Options — raises the average score by 24 points.
Methodology
This report is based on aggregated, anonymized data from 10,000+ website scans processed by the ZeriFlow security scanner between January 2026 and May 2026. Scans cover 80+ security checks across 12 categories including TLS configuration, HTTP security headers, cookie attributes, DNS and email authentication (SPF, DKIM, DMARC), content security, and information disclosure. Scores are computed using a weighted additive model with a discrimination curve. Individual site data is never disclosed. Percentages are rounded to the nearest whole number.
See how your site scores — free scan in 60 seconds
Run 80+ security checks on your site. Get a /100 score with exact, prioritized fixes. No sign-up required to start.
Free forever · No credit card · Results in under 60 seconds