Last night I ran external security scans on the public websites of 10 leading Shopify and Shopify
Plus agencies — the same scan any browser or attacker would see. No credentials, no special access.
One agency scored an A. Three scored C- or below. The most common finding appeared on 9 of 10 sites.
TL;DR
- 1 agency scored an A. 3 scored C- or below. 1 scored a D.
- The most common finding — missing security headers — appeared on 9 of 10 sites.
- 6 of 10 agencies have no HSTS at all.
- One agency has a session cookie without the Secure flag. That is the most concrete finding in the set.
What was scanned
Five categories per domain: TLS (HSTS presence and max-age), security headers (CSP,
X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), cookie flags,
DNS hardening (DNSSEC and CAA) and sensitive exposure paths. All scans run on 23 June 2026.
This covers the agencies' own marketing sites — not the client stores they build.
Results
| Agency | Domain | Score | Grade |
|---|---|---|---|
| 1Digital Agency | 1digitalagency.com | 94 | A |
| Acidgreen | acidgreen.com.au | 77 | B |
| 30 Acres | 30acres.com.au | 76 | B |
| Fourmeta | fourmeta.com | 76 | B |
| Blend Commerce | blendcommerce.com | 76 | B |
| Elkfox | elkfox.com | 76 | B |
| Charle Agency | charleagency.com | 62 | C |
| Fyresite | fyresite.com | 62 | C |
| Eastside Co | eastsideco.com | 58 | C- |
| Swanky Agency | swankyagency.com | 55 | C- |
| Blubolt | blubolt.com | 54 | D |
Per-agency notes
1Digital Agency — A (94)
HSTS at two years, X-Content-Type-Options and Referrer-Policy set correctly, Permissions-Policy
restricting camera, microphone and geolocation, CSP frame-ancestors in place of X-Frame-Options.
Only gap is HSTS missing includeSubDomains.
Acidgreen — B (77)
HSTS with two-year max-age, includeSubDomains and preload — the strongest TLS config in the set.
But CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are all
absent. Worth noting Acidgreen is multi-platform (Shopify Plus, Adobe Commerce, Magento) rather
than Shopify-only.
30 Acres — B (76)
A Shopify Plus Partner agency based in Byron Bay and a certified B Corp. Their site runs on
Shopify itself, which explains the platform-default CSP: block-all-mixed-content; — present but missing default-src and
frame-ancestors 'none'; upgrade-insecure-requests
script-src. HSTS present, X-Frame-Options DENY, X-Content-Type-Options correct.
Referrer-Policy and Permissions-Policy absent.
Fourmeta — B (76)
HSTS set to one year but missing includeSubDomains. All five security headers absent.
Exposure paths cleanly blocked with 403s.
Blend Commerce — B (76)
Same Shopify-default CSP as 30 Acres and Elkfox. HSTS present but 91-day max-age.
Protocol-relative Shopify CDN script flagged. Referrer-Policy and Permissions-Policy absent.
Elkfox — B (76)
Identical to Blend Commerce. Both run on Shopify, both inherit the same platform CSP baseline.
HSTS short. X-Frame-Options DENY. X-Content-Type-Options correct. Referrer-Policy missing.
Charle Agency — C (62)
HSTS entirely absent. All five security headers missing. Charle is Shopify Plus accredited with
a strong client portfolio — the gap on their own site is notable.
Fyresite — C (62)
Same as Charle. HSTS missing, all five headers absent. Fyresite is a Shopify Premier Partner —
one of 46 in the US. Exposure paths cleanly handled with 403s.
Eastside Co — C- (58)
The most distinctive finding in the set. An authentication session cookie (october_session) is
set without the Secure flag and without SameSite. HSTS is also missing, which compounds it —
without HSTS enforcing HTTPS, the session cookie can transmit in the clear. CSP absent.
X-Frame-Options and X-Content-Type-Options both present.
Swanky Agency — C- (55)
DNSSEC is enabled — the only agency in this set with it. But HSTS is missing, all five security
headers are absent and two protocol-relative third-party scripts (ShareThis and HubSpot) load
without explicit HTTPS. Inconsistent given the DNS hardening.
Blubolt — D (54)
HSTS missing, all five headers absent, three HubSpot embed scripts loading via protocol-relative
URLs. Blubolt is a Shopify Premier Partner with a strong client track record — this is a gap on
their own marketing site.
Patterns across the 10 sites
The Shopify platform baseline. Three agencies run their own site on Shopify (30 Acres, Blend
Commerce, Elkfox). All three score 76 and share the same CSP: block-all-mixed-content;. This is what Shopify sets by default. It
frame-ancestors 'none'; upgrade-insecure-requests
is not the same as a properly configured CSP — default-src and script-src are both missing.
HSTS is the dividing line. Every agency with HSTS present scores B or above. Every agency
without it scores C or below. Six of the 10 have no HSTS at all.
Headers are the universal gap. CSP absent or weak on 9 of 10. Referrer-Policy absent on
9 of 10. Permissions-Policy absent on 9 of 10.
One concrete session risk. The Eastside Co session cookie finding is the only issue in this
audit that goes beyond posture gap into a direct security risk. Everything else is hardening
that is missing — this one is a misconfiguration with a clear exposure path.
What the top score does that others do not
1Digital Agency's A is not one standout decision — it is several correct ones stacked:
- HSTS at two years (not 91 days, not absent)
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy restricting camera, microphone and geolocation
- CSP frame-ancestors correctly scoped
- X-Content-Type-Options: nosniff
The gap between their A and most of the C grades here is an afternoon of configuration work,
not a major engineering effort.
The fix priority order
If your agency site looks like the bottom of this table:
- Enable HSTS (min max-age 31536000)
- Add X-Content-Type-Options: nosniff
- Add Referrer-Policy: strict-origin-when-cross-origin
- Add X-Frame-Options: SAMEORIGIN
- Replace protocol-relative script URLs with explicit https://
- Add or strengthen CSP — start in report-only mode
Does your agency site have HSTS enabled? Run a free scan at guardr.io and let me know your grade
in the comments.
Built this with Guardr — security posture and uptime monitoring for agencies managing client
sites. Free scan, no signup required.
Top comments (4)
This is a useful angle because it moves away from opinions and into pattern recognition.
Scanning multiple Shopify agency sites is where you usually start seeing the real “meta” of the industry: similar landing page structures, repeated value props, heavy focus on social proof, and often a lot of conversion optimization patterns layered on top of fairly standard service offerings.
What’s most interesting in these kinds of breakdowns is not any single website, but the convergence — when different agencies independently arrive at the same UX and messaging strategies, it usually means those patterns are actually working in the market.
Good reminder that in web/agency space, differentiation is often less about design novelty and more about clarity, positioning, and proof 🤝
Thanks Luis. Worth clarifying, this one is specifically a security posture scan rather than a UX or design breakdown. What we measured is HTTP headers, HSTS configuration, cookie flags and DNS hardening across the 10 sites.
The convergence point you raise does show up here though - three agencies running their own site on Shopify all scored identically at 76 and share the exact same CSP profile. Platform defaults create their own kind of convergence, just at the infrastructure layer rather than the design layer.
Good clarification from your side — and this is exactly why the post is interesting.
What stands out is how quickly platform-level defaults become “invisible architecture decisions.” The fact that multiple Shopify-hosted agency sites converge on the same CSP pattern isn’t really a design choice — it’s a constraint of the underlying hosting model.
That makes this kind of scan valuable beyond the findings themselves: it highlights where responsibility shifts from “agency implementation” to “platform baseline vs. hardening layer,” which is often overlooked in security discussions.
Also appreciate that you separated UX interpretation from the actual security surface — that distinction keeps the analysis clean and actionable.
Solid work on surfacing infrastructure-level patterns like this 🤝
Exactly, the platform gives you a floor, not a ceiling. For agencies selling security and reliability to clients, their own site is the first proof point. If the hardening stops at the Shopify default, that is worth knowing.