With the World Cup in full swing, we got curious: how well configured are the official stadium websites for the 16 host venues across the US, Canada and Mexico? So we ran a FIFA World Cup 2026 stadium security scan on all of them.
TL;DR: every single stadium site had a weak or missing Content-Security-Policy header. Half had HSTS problems. One had a session cookie with zero protections. High traffic does not mean high security.
Methodology
We scanned the official website for each of the 16 confirmed FIFA World Cup 2026 host venues, checking TLS/SSL, security headers, cookie security, DNS hardening and exposed paths. Each site gets an A–F grade. Scans were run on July 3, 2026, a single point-in-time snapshot.
Results
| Venue | City | Grade | Score |
|---|---|---|---|
| MetLife Stadium | East Rutherford, NJ | A | 90 |
| AT&T Stadium | Dallas, TX | C- | 55 |
| SoFi Stadium | Los Angeles, CA | C | 62 |
| Lumen Field | Seattle, WA | A- | 85 |
| Mercedes-Benz Stadium | Atlanta, GA | B- | 71 |
| NRG Park | Houston, TX | D | 54 |
| Kansas City World Cup site | Kansas City, MO | D | 54 |
| Hard Rock Stadium | Miami, FL | D | 47 |
| Lincoln Financial Field | Philadelphia, PA | B+ | 80 |
| Levi's Stadium | Santa Clara, CA | C | 62 |
| Gillette Stadium | Foxborough, MA | A- | 85 |
| BC Place | Vancouver, Canada | B- | 72 |
| BMO Field | Toronto, Canada | A- | 86 |
| Estadio Banorte (formerly Azteca) | Mexico City, Mexico | B+ | 80 |
| Estadio Akron | Guadalajara, Mexico | C | 62 |
| Estadio BBVA | Monterrey, Mexico | A- | 85 |
What stood out
CSP, across the board, is weak. Six of 16 sites had no Content-Security-Policy at all. The rest mostly had frame-ancestors 'self' and nothing else, which stops clickjacking but does not touch script execution, CSP's actual job.
HSTS is inconsistent. Nine sites had missing or weak HSTS. BC Place's max-age was set to 5 minutes. Six sites nailed it, so the fix is clearly known, just not applied everywhere.
Hard Rock Stadium had the one real high-severity finding. Its session cookie was missing Secure, HttpOnly and SameSite simultaneously, a meaningfully different risk than a missing header.
The dedicated tournament microsite scored worst. Kansas City's official World Cup site (not the arena's own domain) tied for the lowest grade in the set.
Only one site had DNSSEC enabled (Lincoln Financial Field), which tracks with how rare DNSSEC adoption is generally.
Takeaway
None of this is exotic or hard to fix. It is the same handful of misconfigurations that show up on client sites everywhere: missing CSP, weak HSTS, unprotected cookies. High-profile does not mean well-configured unless someone is actually watching for it.
Guardr combines security header scanning with uptime monitoring for people managing multiple sites. The scanner used for this post is free, no signup required.
What would you expect to find if you scanned your own client sites right now? Anyone want to share a surprising result?
Top comments (0)