I built ContrastScan — an open-source security scanner written in C that grades websites A-F across 11 modules: SSL/TLS, HTTP headers, DNS email authentication, CORS, cookies, CSP, and more. Max score: 100 points.
I took the Tranco top 500 most visited domains, filtered out infrastructure-only entries (CDN nodes, DNS servers, API backends with no web frontend), and scanned the remaining 304 websites that had actual web frontends.
The average score was 61 out of 100. A D+.
The Numbers
| Grade | Sites | % |
|---|---|---|
| A (90-100) | 3 | 1% |
| B (70-89) | 57 | 19% |
| C (55-69) | 99 | 33% |
| D (40-54) | 126 | 41% |
| F (0-39) | 19 | 6% |
3 out of 304 scored an A. The most common grade is D — 41% of the internet's biggest sites live there.
Who's Winning
| Site | Score | Grade |
|---|---|---|
| discord.com | 92 | A |
| media.net | 92 | A |
| taboola.com | 91 | A |
| stripe.com | 88 | B |
| indeed.com | 88 | B |
| openai.com | 87 | B |
| paypal.com | 85 | B |
| salesforce.com | 84 | B |
| github.com | 82 | B |
| slack.com | 81 | B |
Discord leads — TLS 1.3, all security headers, full SPF/DKIM/DMARC, tight CSP. Stripe and PayPal are right behind, which you'd expect from companies that handle payments.
OpenAI at 87 is a pleasant surprise.
Who's Not
| Site | Score | Grade |
|---|---|---|
| microsoft.com | 38 | F |
| wikipedia.org | 41 | D |
| adobe.com | 43 | D |
| netflix.com | 50 | D |
| twitter.com | 51 | D |
| reddit.com | 52 | D |
| zoom.us | 52 | D |
| dropbox.com | 53 | D |
| spotify.com | 54 | D |
Microsoft.com scores an F. The company that sells Azure Security Center, Microsoft Defender, and enterprise security consulting — their own homepage fails a basic security scan.
Wikipedia — the 7th most visited site on earth — gets a D.
Netflix, Twitter, Reddit, Zoom, Dropbox, Spotify — all D.
The Full Leaderboard
discord.com ██████████████████████████████████████████████ 92 A
stripe.com ████████████████████████████████████████████ 88 B
paypal.com ██████████████████████████████████████████ 85 B
salesforce.com ████████████████████████████████████████████ 84 B
github.com █████████████████████████████████████████ 82 B
slack.com ████████████████████████████████████████ 81 B
oracle.com ████████████████████████████████████████ 80 B
booking.com █████████████████████████████████ 67 C
youtube.com █████████████████████████████████ 67 C
facebook.com █████████████████████████████████ 66 C
whatsapp.com ███████████████████████████████ 62 C
instagram.com ██████████████████████████████ 60 C
linkedin.com ██████████████████████████████ 60 C
apple.com █████████████████████████████ 59 D
amazon.com ████████████████████████████ 56 D
telegram.org ███████████████████████████ 55 D
ibm.com ███████████████████████████ 54 D
spotify.com ███████████████████████████ 54 D
dropbox.com ██████████████████████████ 53 D
reddit.com ██████████████████████████ 52 D
zoom.us ██████████████████████████ 52 D
twitter.com █████████████████████████ 51 D
netflix.com █████████████████████████ 50 D
adobe.com █████████████████████ 43 D
wikipedia.org ████████████████████ 41 D
microsoft.com ███████████████████ 38 F
Where Sites Lose the Most Points
Missing Security Headers
The biggest problem across the board. Out of 304 sites:
| Header | Missing | % |
|---|---|---|
| Permissions-Policy | 252 | 83% |
| Referrer-Policy | 231 | 76% |
| Content-Security-Policy | 185 | 61% |
| X-Content-Type-Options | 151 | 50% |
| X-Frame-Options | 150 | 49% |
| Strict-Transport-Security | 104 | 34% |
83% don't set Permissions-Policy. Without it, any third-party script on your page (analytics, ads, chat widgets) can access your visitors' camera, microphone, and geolocation.
61% have no CSP — the single most effective defense against XSS.
HSTS has been a best practice since 2012. 34% of top sites still don't use it.
Module Breakdown
How each security module scored on average:
| Module | Avg Score | Max | % |
|---|---|---|---|
| CORS | 4.8 | 5 | 96% |
| HTML Analysis | 4.2 | 5 | 85% |
| DNS (Email Auth) | 11.9 | 15 | 80% |
| Cookies | 3.8 | 5 | 77% |
| Info Disclosure | 3.6 | 5 | 72% |
| SSL/TLS | 10.1 | 20 | 51% |
| Headers | 9.9 | 25 | 40% |
| CSP Analysis | 0.4 | 2 | 21% |
Headers and CSP are where the internet bleeds points. CORS and HTML are generally fine — most sites don't expose dangerous CORS configurations.
Email Authentication
| Record | Present | % |
|---|---|---|
| DMARC | 268 | 88% |
| SPF | 267 | 88% |
| DKIM | 191 | 63% |
SPF and DMARC adoption is strong. But 37% of top sites don't have DKIM — which means their emails can be spoofed without cryptographic detection.
Vulnerability Count
Each scan produces findings with severity ratings:
| Severity | Total | Per site |
|---|---|---|
| Critical | 139 | 0.5 |
| High | 482 | 1.6 |
| Medium | 846 | 2.8 |
| Low | 988 | 3.2 |
46% of the top sites have at least one critical finding. Most common: missing or broken TLS.
The average site has 8 security findings. Even Discord (our #1) has a few low-severity items.
Five Takeaways
1. You can beat 83% of the internet in 5 minutes.
Add these 6 headers to your nginx/Apache config and you're ahead of almost everyone:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
2. CSP is hard — but worth it.
61% of top sites skip it. It's complex to implement without breaking things. Start with default-src 'self' in report-only mode, watch the violations, and tighten gradually.
3. DKIM is the gap in email security.
SPF and DMARC are at ~88%. DKIM is at 63%. If you run email, configure all three.
4. Big brand ≠ good security.
Microsoft scores lower than a random ad network. Security configuration is an afterthought even at companies that literally sell security products.
5. The bar is embarrassingly low.
Score above 70 and you're in the top 20% of the internet. That's an afternoon of work — nginx config changes, a Let's Encrypt cert, and three DNS records.
Scan Your Site
- Free scan: contrastcyber.com
-
API:
GET https://contrastcyber.com/api/scan?domain=yoursite.com - Source: github.com/UPinar/contrastscan — C + Python, MIT license
- Security API: api.contrastcyber.com — CVE lookup, domain intel, code security
Written in C — a full 11-module scan completes in under 1 second.
Data: March 29, 2026. Scanner: ContrastScan v1.0. Source: Tranco top 500. 196 entries were infrastructure-only domains (CDN nodes, DNS servers, API backends) with no web frontend — excluded from analysis.
Note: Some large enterprises intentionally omit certain headers due to CDN constraints or scale-specific trade-offs. A lower score doesn't always mean the site is insecure — but it does mean observable security signals are weaker.
Top comments (0)