DEV Community: UPinar

I Scanned the Internet's Top 500 Websites for Security — Only 1% Got an A

UPinar — Sun, 29 Mar 2026 08:15:38 +0000

I built ContrastScan — an open-source security scanner written in C that grades websites A-F across 11 modules: SSL/TLS, HTTP headers, DNS email authentication, CORS, cookies, CSP, and more. Max score: 100 points.

I took the Tranco top 500 most visited domains, filtered out infrastructure-only entries (CDN nodes, DNS servers, API backends with no web frontend), and scanned the remaining 304 websites that had actual web frontends.

The average score was 61 out of 100. A D+.

The Numbers

Grade	Sites	%
A (90-100)	3	1%
B (70-89)	57	19%
C (55-69)	99	33%
D (40-54)	126	41%
F (0-39)	19	6%

3 out of 304 scored an A. The most common grade is D — 41% of the internet's biggest sites live there.

Who's Winning

Site	Score	Grade
discord.com	92	A
media.net	92	A
taboola.com	91	A
stripe.com	88	B
indeed.com	88	B
openai.com	87	B
paypal.com	85	B
salesforce.com	84	B
github.com	82	B
slack.com	81	B

Discord leads — TLS 1.3, all security headers, full SPF/DKIM/DMARC, tight CSP. Stripe and PayPal are right behind, which you'd expect from companies that handle payments.

OpenAI at 87 is a pleasant surprise.

Who's Not

Site	Score	Grade
microsoft.com	38	F
wikipedia.org	41	D
adobe.com	43	D
netflix.com	50	D
twitter.com	51	D
reddit.com	52	D
zoom.us	52	D
dropbox.com	53	D
spotify.com	54	D

Microsoft.com scores an F. The company that sells Azure Security Center, Microsoft Defender, and enterprise security consulting — their own homepage fails a basic security scan.

Wikipedia — the 7th most visited site on earth — gets a D.

Netflix, Twitter, Reddit, Zoom, Dropbox, Spotify — all D.

The Full Leaderboard

discord.com      ██████████████████████████████████████████████ 92 A
stripe.com       ████████████████████████████████████████████   88 B
paypal.com       ██████████████████████████████████████████     85 B
salesforce.com   ████████████████████████████████████████████   84 B
github.com       █████████████████████████████████████████      82 B
slack.com        ████████████████████████████████████████       81 B
oracle.com       ████████████████████████████████████████       80 B
booking.com      █████████████████████████████████              67 C
youtube.com      █████████████████████████████████              67 C
facebook.com     █████████████████████████████████              66 C
whatsapp.com     ███████████████████████████████                62 C
instagram.com    ██████████████████████████████                 60 C
linkedin.com     ██████████████████████████████                 60 C
apple.com        █████████████████████████████                  59 D
amazon.com       ████████████████████████████                   56 D
telegram.org     ███████████████████████████                    55 D
ibm.com          ███████████████████████████                    54 D
spotify.com      ███████████████████████████                    54 D
dropbox.com      ██████████████████████████                     53 D
reddit.com       ██████████████████████████                     52 D
zoom.us          ██████████████████████████                     52 D
twitter.com      █████████████████████████                      51 D
netflix.com      █████████████████████████                      50 D
adobe.com        █████████████████████                          43 D
wikipedia.org    ████████████████████                           41 D
microsoft.com    ███████████████████                            38 F

Where Sites Lose the Most Points

Missing Security Headers

The biggest problem across the board. Out of 304 sites:

Header	Missing	%
Permissions-Policy	252	83%
Referrer-Policy	231	76%
Content-Security-Policy	185	61%
X-Content-Type-Options	151	50%
X-Frame-Options	150	49%
Strict-Transport-Security	104	34%

83% don't set Permissions-Policy. Without it, any third-party script on your page (analytics, ads, chat widgets) can access your visitors' camera, microphone, and geolocation.

61% have no CSP — the single most effective defense against XSS.

HSTS has been a best practice since 2012. 34% of top sites still don't use it.

Module Breakdown

How each security module scored on average:

Module	Avg Score	Max	%
CORS	4.8	5	96%
HTML Analysis	4.2	5	85%
DNS (Email Auth)	11.9	15	80%
Cookies	3.8	5	77%
Info Disclosure	3.6	5	72%
SSL/TLS	10.1	20	51%
Headers	9.9	25	40%
CSP Analysis	0.4	2	21%

Headers and CSP are where the internet bleeds points. CORS and HTML are generally fine — most sites don't expose dangerous CORS configurations.

Email Authentication

Record	Present	%
DMARC	268	88%
SPF	267	88%
DKIM	191	63%

SPF and DMARC adoption is strong. But 37% of top sites don't have DKIM — which means their emails can be spoofed without cryptographic detection.

Vulnerability Count

Each scan produces findings with severity ratings:

Severity	Total	Per site
Critical	139	0.5
High	482	1.6
Medium	846	2.8
Low	988	3.2

46% of the top sites have at least one critical finding. Most common: missing or broken TLS.

The average site has 8 security findings. Even Discord (our #1) has a few low-severity items.

Five Takeaways

1. You can beat 83% of the internet in 5 minutes.
Add these 6 headers to your nginx/Apache config and you're ahead of almost everyone:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

2. CSP is hard — but worth it.
61% of top sites skip it. It's complex to implement without breaking things. Start with default-src 'self' in report-only mode, watch the violations, and tighten gradually.

3. DKIM is the gap in email security.
SPF and DMARC are at ~88%. DKIM is at 63%. If you run email, configure all three.

4. Big brand ≠ good security.
Microsoft scores lower than a random ad network. Security configuration is an afterthought even at companies that literally sell security products.

5. The bar is embarrassingly low.
Score above 70 and you're in the top 20% of the internet. That's an afternoon of work — nginx config changes, a Let's Encrypt cert, and three DNS records.

Scan Your Site

Free scan: contrastcyber.com
API: GET https://contrastcyber.com/api/scan?domain=yoursite.com
Source: github.com/UPinar/contrastscan — C + Python, MIT license
Security API: api.contrastcyber.com — CVE lookup, domain intel, code security

Written in C — a full 11-module scan completes in under 1 second.

Data: March 29, 2026. Scanner: ContrastScan v1.0. Source: Tranco top 500. 196 entries were infrastructure-only domains (CDN nodes, DNS servers, API backends) with no web frontend — excluded from analysis.

Note: Some large enterprises intentionally omit certain headers due to CDN constraints or scale-specific trade-offs. A lower score doesn't always mean the site is insecure — but it does mean observable security signals are weaker.

I hardened my Hetzner VPS from scratch — here's everything I did (and the tools I built along the way)

UPinar — Sat, 28 Mar 2026 00:16:46 +0000

I run a production server on Hetzner (Ubuntu 24.04) and get hit with thousands of attack attempts daily. After 3 months of hardening, I've blocked 8,000+ IPs from 132 countries with zero successful intrusions.

Here's every step I applied, what actually worked, and the open-source tools I built to make it easier.

1. SSH (biggest single impact)

# /etc/ssh/sshd_config
Port 2222
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30
AllowUsers myuser

Moving SSH port sounds like security through obscurity, but it dropped 90% of automated scans overnight. Real attackers scan all ports anyway — this just filters out the lazy bots.

2. Firewall + IP blacklisting

# Create ipset blacklist
ipset create blacklist_set hash:ip hashsize 65536 maxelem 131072

# Add to iptables
iptables -I INPUT -m set --match-set blacklist_set src -j DROP

# Atomic swap for zero-downtime updates
ipset create blacklist_tmp hash:ip hashsize 65536 maxelem 131072
# ... populate blacklist_tmp ...
ipset swap blacklist_tmp blacklist_set
ipset destroy blacklist_tmp

~8,000 IPs blocked and growing. ipset gives you O(1) lookup regardless of list size — regular iptables chains would crawl at this scale.

3. fail2ban (custom jails)

# /etc/fail2ban/jail.local
[sshd]
enabled = true
maxretry = 1
bantime = -1
action = %(action_)s
         ipset-blacklist

maxretry=1 — sounds aggressive, zero false positives in 3 months with key-only auth
bantime = -1 — permanent ban
7 jails: SSH + 5 nginx patterns + Suricata integration
Bans feed into ipset automatically

4. Suricata IDS

# Suricata + fail2ban integration
# /etc/fail2ban/filter.d/suricata.conf
[Definition]
failregex = \[.*\] .* \[Priority: [12]\] .* <HOST>

Running in IDS mode with ~32K rules. The integration chain: Suricata detects → fail2ban bans → ipset blocks. Each layer feeds the next.

5. nginx hardening

# block-exploits.conf — 37+ patterns, silent drop
location ~* (\.env|wp-login|phpMyAdmin|\.git|\.sql|/admin) {
    return 444;
}

# Security headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

Status 444 = nginx closes the connection silently. No response body, no headers, no information leakage. Bots get nothing.

6. File integrity + Kernel hardening

# AIDE — monitors ~210K files
aide --init
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Daily cron checks for unauthorized changes

# /etc/sysctl.d/99-hardening.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

Aligned with CIS benchmarks. SYN cookies alone prevent most SYN flood attempts.

7. Real-time monitoring

Telegram bot sends instant alerts for every ban:

fail2ban [sshd]
IP: 45.133.xx.xx
Action: Ban
Time: 2026-03-27 14:32:01

Plus a custom status script — uptime, disk, fail2ban stats, SSL expiry, recent attacks — all in one command.

Results after 3 months

Metric	Value
IPs blocked	8,000+
Countries	132
Successful intrusions	0
False positives (SSH)	0
Avg server load	Minimal

The tool I built to verify all this

After setting everything up, I wanted a quick way to check if my headers, SSL, and DNS were actually correct.

Every existing tool was either:

Enterprise SaaS with a sales call
A CLI that dumps 200 lines of raw output
Free but limited to SSL-only

So I built ContrastScan — a free, open-source security scanner. Paste a domain, get an A-F grade covering 11 checks in under 3 seconds.

ContrastScan — Free Security Scanner

Scan any domain in seconds. Get an A-F security grade covering 11 security checks. Free, no signup required.

contrastcyber.com

The core scanner is 2,300 lines of C — raw TCP handshakes for SSL, direct DNS queries via libresolv, HTTP header parsing with libcurl. No frameworks, no runtime bloat.

What it checks

Module	Points	What It Checks
Security Headers	25	CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
SSL/TLS	20	Protocol version, cipher strength, cert validity
DNS Security	15	SPF, DKIM, DMARC
HTTPS Redirect	8	HTTP → HTTPS redirect
Info Disclosure	5	Server/X-Powered-By exposure
Cookie Security	5	Secure, HttpOnly, SameSite
DNSSEC	5	DNS response signatures
HTTP Methods	5	TRACE, DELETE, PUT detection
CORS	5	Cross-origin misconfig
HTML Analysis	5	Mixed content, inline scripts, SRI
CSP Analysis	2	unsafe-inline, unsafe-eval, wildcards

It also runs passive recon in the background: WHOIS, tech stack detection, WAF fingerprinting, subdomain enumeration, and subdomain takeover detection (checks for dangling CNAMEs across 30 services like GitHub Pages, Heroku, AWS S3, Netlify).

API access

# JSON
curl "https://contrastcyber.com/api/scan?domain=yourdomain.com"

# Text report
curl "https://contrastcyber.com/api/report?domain=yourdomain.com" -o report.txt

For AI agents (MCP)

I also built ContrastAPI — 20 security tools in one API:

claude mcp add --transport http contrastapi https://api.contrastcyber.com/mcp

CVE lookup, domain recon, tech fingerprinting, IP reputation, code security — no key required.

What surprised me

Moving SSH port had more impact than any other single change. Not "real" security, but eliminates 90% of log noise.

Most attacks are dumb bots. 95% hit wp-login.php on a server that doesn't run WordPress.

maxretry=1 is not aggressive. With key-only SSH, a single failed attempt is always suspicious.

A single grade changes behavior. Raw headers → eyes glaze over. "Grade: D" → they want to fix it immediately.

Stack

Layer	Tech
Scanner	C (libcurl, openssl, libresolv, cJSON)
Backend	Python, FastAPI, SQLite
API	Python, FastAPI, MCP
Frontend	Vanilla HTML/CSS/JS
Infra	Hetzner VPS, nginx, systemd, Let's Encrypt
Security	fail2ban, Suricata, ipset, AIDE

No Docker. No Kubernetes. One VPS, two systemd services.

Try it

Scan your domain: contrastcyber.com
API: api.contrastcyber.com
Source: github.com/UPinar/contrastscan

No signup, no API key. Happy to answer questions about any of these steps.

I Built a Security Scanner in C That Grades Any Website A-F — Here's How

UPinar — Fri, 27 Mar 2026 12:10:52 +0000

You paste a domain. Ten seconds later you get a single grade — A through F — covering 11 security checks.

No signup. No API key. Just a URL.

Try it right now → contrastcyber.com

Why I Built This

Every security scanner I found was either:

Enterprise SaaS with a sales call
A CLI tool that dumps 200 lines of raw output
Free but limited to SSL-only

I wanted something that gives a single, opinionated score — like a credit score for your server's security posture. Something a developer can run in 10 seconds and immediately know where they stand.

So I wrote one from scratch. In C.

The Scanner: 2,300 Lines of C

The core scanner is a single C binary. No frameworks, no runtime dependencies beyond libcurl, openssl, libresolv, and cJSON.

It runs 11 checks and scores them out of 100:

Module	Points	What It Checks
Security Headers	25	CSP, HSTS, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy
SSL/TLS	20	Protocol version, cipher strength, certificate validity
DNS Security	15	SPF, DKIM, DMARC
HTTPS Redirect	8	HTTP → HTTPS automatic redirect
Info Disclosure	5	Server header, X-Powered-By exposure
Cookie Security	5	Secure, HttpOnly, SameSite flags
DNSSEC	5	DNS response signature verification
HTTP Methods	5	Dangerous methods (TRACE, DELETE, PUT)
CORS	5	Cross-origin misconfiguration
HTML Analysis	5	Mixed content, inline scripts, SRI, form security
CSP Analysis	2	Deep Content Security Policy inspection

The output is a single JSON object:

$ ./contrastscan example.com

{
  "domain": "example.com",
  "total_score": 85,
  "max_score": 100,
  "grade": "B",
  "headers": { "score": 20, "max": 25 },
  "ssl": { "score": 20, "max": 20 },
  "dns": { "score": 15, "max": 15 },
  ...
}

Why C?

Speed and control. The scanner does raw TCP handshakes for SSL checks, direct DNS queries via libresolv, and HTTP header parsing with libcurl. A full scan completes in under 3 seconds. No garbage collector, no startup time, no 400MB node_modules.

#include <curl/curl.h>
#include <openssl/ssl.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include <cjson/cJSON.h>

// That's it. Five libraries. 2,300 lines. 11 modules.

The Web App

The C scanner is wrapped in a Python FastAPI backend that handles:

Domain validation & sanitization
Rate limiting (60 scans/hour per IP)
SQLite scan storage
HTML report rendering
SVG grade badges for README files
Async passive reconnaissance (WHOIS, tech stack, WAF detection, subdomains)

The frontend is pure HTML/CSS/JS — no React, no build step. When you submit a scan, you get an animated progress overlay showing each module completing in real-time, then the full result page.

API Access

Every scan is also available as JSON:

curl "https://contrastcyber.com/api/scan?domain=example.com"

Or download a plain text report:

curl "https://contrastcyber.com/api/report?domain=example.com" -o report.txt

Going Deeper: ContrastAPI

After building the scanner, I wanted more. CVE intelligence. Code analysis. Domain reconnaissance at scale.

So I built ContrastAPI — a full security intelligence API with 13 endpoints:

CVE Intelligence

# Search CVEs by keyword
curl "https://api.contrastcyber.com/v1/cve/search?q=apache&limit=5"

# Get EPSS score (exploitation probability)
curl "https://api.contrastcyber.com/v1/cve/CVE-2024-3094/epss"

# Check if it's in CISA KEV (Known Exploited Vulnerabilities)
curl "https://api.contrastcyber.com/v1/cve/CVE-2024-3094/kev"

Domain Recon

# Full domain intelligence
curl "https://api.contrastcyber.com/v1/domain/example.com"

Returns DNS records, WHOIS data, SSL certificate details, subdomains, WAF detection, and technology stack — all in one call.

Code Security

# Check code for secrets, injection, misconfigurations
curl -X POST "https://api.contrastcyber.com/v1/code/check" \
  -H "Content-Type: application/json" \
  -d '{"code": "password = \"admin123\"", "language": "python"}'

MCP Support (for AI Agents)

ContrastAPI is also an MCP server. If you use Claude, Cursor, or any MCP-compatible AI tool:

{
  "mcpServers": {
    "contrastapi": {
      "url": "https://mcp.contrastcyber.com/mcp"
    }
  }
}

Your AI agent gets 19 security tools — CVE lookup, domain recon, code scanning — without writing any integration code.

Numbers

2,287 lines of C (scanner)
905 tests across both projects
340K+ CVEs indexed with EPSS scores
1,500+ CISA KEV entries
11 security checks, 100-point scoring
< 3 seconds per scan
$0 cost to use

Stack

Layer	Tech
Scanner	C (gcc, libcurl, openssl, libresolv, cJSON)
Web Backend	Python, FastAPI, SQLite
API Platform	Python, FastAPI, SQLite, MCP SDK
Frontend	Vanilla HTML/CSS/JS
Server	Hetzner VPS, nginx, systemd, Let's Encrypt
Security	fail2ban, Suricata IDS, ipset, AIDE

No Docker. No Kubernetes. No cloud functions. One VPS, two systemd services, done.

What I Learned

1. C is underrated for web tooling. Everyone reaches for Python or Go. But when you need to do raw TLS handshakes and DNS queries, C gives you direct access to the system libraries that are already there. No wrappers, no abstractions.

2. A single score changes behavior. When I show someone a wall of security headers, they glaze over. When I show them "Grade: D", they immediately want to fix it. Opinionated scoring works.

3. Ship the smallest thing that's useful. The first version had 3 checks. Now it has 11. But the first version was already useful — SSL + headers + DNS covers 60% of what matters.

4. MCP is a distribution channel. Adding MCP support to ContrastAPI took a day. Now any AI agent can use it as a security toolkit. That's distribution I didn't have to build.

Try It

Scan a domain: contrastcyber.com
API docs: contrastcyber.com/api
Full API platform: api.contrastcyber.com
Source code: github.com/UPinar/contrastscan

No signup, no API key, no paywall. Scan something and tell me what you think.

I'm a solo developer building security tools. If you have feedback or feature requests, drop a comment or reach out at contact@contrastcyber.com.