I'm Raz. I've been building a security scanner called UNPWNED for the past few months. It runs thousands of checks across dozens of scanners on any website - headers, DNS, SSL, exposed files, secrets, you name it.
After 447 scans and 3,993 findings, I have enough data to share. Some of this stuff genuinely surprised me.
The big picture
- 447 sites scanned, 3,993 vulnerabilities found
- Average site has 8.9 security issues
- Average score: 73.1 out of 100
- Only 16.3% scored A or A+
- 37% scored C (the most common grade)
- 53% scored C or worse
Most websites aren't terrible. They're just... mediocre. A bunch of missing headers and DNS records that nobody thought to configure.
AI-built vs human-built - this is the big one
I started tagging sites that showed signals of being AI-generated (Lovable, Bolt, Cursor, v0 patterns). The gap is real:
| Metric | AI-Built | Human-Built |
|---|---|---|
| Avg Score | 63.7 | 75.7 |
| Avg Findings | 12.2 | 9.7 |
| HIGH Severity | 2.1 per site | 0.7 per site |
AI-built sites have 3x more high-severity vulnerabilities.
Why? Because AI tools are really good at building features that work. They'll set up your auth, your API routes, your database queries. But they almost never add:
- Security headers (CSP, HSTS)
- DNS hardening (DMARC, DNSSEC)
- Rate limiting
- CORS restrictions
Nobody prompts "oh and add DMARC and CSP headers please." And the AI doesn't volunteer it.
The 5 things almost nobody has
This is across ALL 447 sites, not just AI-built:
| Missing Defense | % Without It |
|---|---|
| Rate Limiting | 74% |
| Content Security Policy | 72% |
| DNSSEC | 72% |
| DMARC | 47% |
| Privacy Policy | 68% |
74% have no rate limiting. That means bots can brute-force your login endpoint all day and your server won't even notice.
72% have no CSP. One XSS vulnerability and any script runs freely on your pages.
47% have no DMARC. Anyone can send emails pretending to be you@yourdomain.com. Your users will get phishing emails that look like they came from you.
How different platforms score
| Platform | Avg Score | Avg Findings |
|---|---|---|
| Vercel | 75.9 | 7.0 |
| WordPress | 76.5 | 9.4 |
| Next.js | 75.1 | 7.1 |
| Cloudflare | 72.2 | 7.6 |
| Netlify | 64.2 | 13.4 |
Vercel and Next.js do better than average but still miss critical stuff. Netlify sites scored the lowest among modern platforms - not sure why, might be the default headers config.
Grade distribution
| Grade | % of Sites |
|---|---|
| A+ | 8.9% |
| A | 7.4% |
| B | 30.6% |
| C | 37.1% |
| D | 13.6% |
| F | 2.2% |
The most common grade is C. Not failing, but not anywhere close to secure.
What you can fix in 30 minutes
The gap between a C and a B (or even an A) is usually not a rewrite. It's a few configs:
1. Add CSP headers
Even a basic Content Security Policy blocks most XSS vectors. If you're on Next.js, it's a few lines in your middleware.
2. Set up DMARC
Add a DNS TXT record for _dmarc.yourdomain.com. It tells email servers to reject spoofed emails from your domain. Takes 5 minutes.
3. Add rate limiting on auth routes
Even a simple IP-based limit (like 10 attempts per minute) stops brute force attacks. Most frameworks have middleware for this.
4. Enable DNSSEC
This is usually a one-click toggle at your DNS provider (Cloudflare, Namecheap, etc).
5. Check your CORS policy
If you're using Access-Control-Allow-Origin: * in production, you're letting any website make requests to your API.
Check your own site
I built UNPWNED because I was shipping fast with AI tools and had no idea what was exposed. The scanner checks thousands of things across dozens of scanners, only looks at publicly visible information (same stuff anyone visiting your site can see), and it's free to try.
No account needed for a quick scan. Happy to answer questions about the methodology or findings in the comments.
Top comments (0)