An investigation has revealed that many of the world’s most popular websites are lacking in basic cybersecurity hygiene. The research, conducted by our team, focused on HTTP security headers, which are often overlooked by developers. These headers are instructions on how the browser should interact with the webpage, helping to protect sites from a variety of attacks like clickjacking and ensuring secure connections.
Our research team analyzed the top 100 most visited websites, including popular sites like Pinterest, IMDB, Facebook, PayPal, Wikipedia, and AliExpress, among others. The findings were concerning, as many of these websites could significantly improve their security measures.
HTTP security headers are particularly useful for client-side attacks, which exploit security flaws on the user’s device to gain unauthorized access, steal information, or perform other malicious activities. The most common attacks include phishing, cross-site scripting (XSS), and man-in-the-middle (MITM) attacks that typically occur on free public wifi or other open networks.
The research revealed that 34% of the tested websites lack the X-Frame-Options security header, which protects against clickjacking. Additionally, 50% of the websites lack the Content-Security-Policy (CSP) header, used to mitigate attacks like XSS and data injection. Furthermore, 76% of the websites lack the Referrer-Policy security header, which controls how much information about the originating URL is shared with a linked resource, enhancing privacy and reducing potential information leakage. A staggering 88% of the tested websites lack the Permissions-Policy header, which allows web developers to control and manage the browser’s permissions for various features and APIs. Moreover, 33% of the websites lack the X-Content-Type-Options security header, which prevents MIME-sniffing attacks, and 18% lack the Strict-Transport-Security (HSTS) header, which instructs the browser to only connect to a website using HTTPS.
The lack of these security headers could lead to danger not only for web application owners but also for users visiting the websites. By implementing these headers, website administrators can effectively protect users from various types of attacks and enhance the overall security of their websites.
