DEV Community

Cover image for FIFA World Cup 2026 Stadium Security Scan
Guardr
Guardr

Posted on • Originally published at guardr.io

FIFA World Cup 2026 Stadium Security Scan

With the World Cup in full swing, we got curious: how well configured are the official stadium websites for the 16 host venues across the US, Canada and Mexico? So we ran a FIFA World Cup 2026 stadium security scan on all of them.

TL;DR: every single stadium site had a weak or missing Content-Security-Policy header. Half had HSTS problems. One had a session cookie with zero protections. High traffic does not mean high security.

Methodology

We scanned the official website for each of the 16 confirmed FIFA World Cup 2026 host venues, checking TLS/SSL, security headers, cookie security, DNS hardening and exposed paths. Each site gets an A–F grade. Scans were run on July 3, 2026, a single point-in-time snapshot.

Results

Venue City Grade Score
MetLife Stadium East Rutherford, NJ A 90
AT&T Stadium Dallas, TX C- 55
SoFi Stadium Los Angeles, CA C 62
Lumen Field Seattle, WA A- 85
Mercedes-Benz Stadium Atlanta, GA B- 71
NRG Park Houston, TX D 54
Kansas City World Cup site Kansas City, MO D 54
Hard Rock Stadium Miami, FL D 47
Lincoln Financial Field Philadelphia, PA B+ 80
Levi's Stadium Santa Clara, CA C 62
Gillette Stadium Foxborough, MA A- 85
BC Place Vancouver, Canada B- 72
BMO Field Toronto, Canada A- 86
Estadio Banorte (formerly Azteca) Mexico City, Mexico B+ 80
Estadio Akron Guadalajara, Mexico C 62
Estadio BBVA Monterrey, Mexico A- 85

What stood out

CSP, across the board, is weak. Six of 16 sites had no Content-Security-Policy at all. The rest mostly had frame-ancestors 'self' and nothing else, which stops clickjacking but does not touch script execution, CSP's actual job.

HSTS is inconsistent. Nine sites had missing or weak HSTS. BC Place's max-age was set to 5 minutes. Six sites nailed it, so the fix is clearly known, just not applied everywhere.

Hard Rock Stadium had the one real high-severity finding. Its session cookie was missing Secure, HttpOnly and SameSite simultaneously, a meaningfully different risk than a missing header.

The dedicated tournament microsite scored worst. Kansas City's official World Cup site (not the arena's own domain) tied for the lowest grade in the set.

Only one site had DNSSEC enabled (Lincoln Financial Field), which tracks with how rare DNSSEC adoption is generally.

Takeaway

None of this is exotic or hard to fix. It is the same handful of misconfigurations that show up on client sites everywhere: missing CSP, weak HSTS, unprotected cookies. High-profile does not mean well-configured unless someone is actually watching for it.


Guardr combines security header scanning with uptime monitoring for people managing multiple sites. The scanner used for this post is free, no signup required.

What would you expect to find if you scanned your own client sites right now? Anyone want to share a surprising result?

Top comments (0)