DEV Community

Raz Azulay
Raz Azulay

Posted on

We Scanned 400+ Websites. Here's What We Found.

#webdev #ai #cybersecurity

We built UNPWNED, a security scanner for web apps. Over the past few weeks, we scanned 400+ websites across startups, SaaS products, and side projects.

Here's what the data told us.

The Numbers

  • 412 scans across 167 unique domains
  • Average first-scan score: 65 out of 100
  • Only 2% scored an A on their first scan
  • 58% scored a C, 23% scored D or F

The Most Common Issues

Issue % of Sites Affected
DNSSEC not enabled 75%
No rate limiting on API endpoints 70%
Missing Content Security Policy 69%
Weak CSP configuration 57%
No cookie consent mechanism 48%
Missing DMARC record (email spoofing risk) 47%
No privacy policy page detected 40%
Missing DKIM record 37%
Missing HSTS header 34%
Permissive CORS policy 29%

What Surprised Us

Almost half of all sites can be email-spoofed. 47% were missing DMARC records, which means anyone can send emails pretending to be from their domain. Your users could get a phishing email "from" you today.

70% had no API rate limiting. That means a single script could hammer their endpoints with zero resistance. No throttling, no blocking, nothing.

69% had no Content Security Policy. CSP is one line of configuration that prevents XSS attacks. Most developers skip it because they don't know about it.

The Good News

Sites that used our fix suggestions and rescanned improved by an average of +8 points. Some jumped from D to A in a single afternoon.

The gap between "vulnerable" and "secure" is usually not a rewrite. It's a few headers, a DNS record, and some basic configuration.

What You Can Do Right Now

  1. Add a CSP header - even a basic one blocks most XSS vectors
  2. Set up DMARC, SPF, and DKIM - protect your users from email spoofing
  3. Add rate limiting - even a simple middleware prevents abuse
  4. Enable HSTS - one header that forces HTTPS everywhere
  5. Check your CORS policy - don't use * in production

Try It Yourself

We built a free instant security checker - no signup required:

Check your website security score

It runs 30+ checks and gives you a score, grade, and list of findings. If you want detailed fix instructions, you can sign up for free (5 scans/month).

Built solo by an indie hacker. UNPWNED was featured by top dev communities and presented to engineering teams at leading tech companies. If you have questions about any of these findings, drop a comment - happy to help.

Top comments (0)