Short answer. We scanned the HTTP security headers of 50 of Russia's largest sites (e-commerce, banks, government, media, telecom) with the Enterno.io engine. Of the 44 sites that returned analyzable headers, only 2% use Content-Security-Policy, 25% use HSTS, and 57% score an F. Meanwhile SSL/TLS hygiene is excellent: 49 of 50 serve a valid certificate, 142 days to expiry on average, none near the edge. The takeaway: the RU web has solved certificate management but barely uses security headers — especially Content Security Policy, the primary defense against XSS.
What we measured, and how
Methodology (fully open, see footer): we took 50 publicly known top RU domains across e-commerce, banking/finance, government, media, telecom, classifieds and travel. For each we requested the homepage and analyzed six key security headers with the same engine behind the free Enterno.io Security scanner. Six sites (12%) answered from behind a WAF/anti-bot and returned no analyzable origin headers — they're excluded from the percentages below (base = 44). Scan date: June 2026.
Headline finding: headers are barely used
| Security header | Used by | Share |
|---|---|---|
| X-Content-Type-Options | 18 / 44 | 41% |
| X-Frame-Options | 17 / 44 | 39% |
| HSTS (Strict-Transport-Security) | 11 / 44 | 25% |
| Referrer-Policy | 7 / 44 | 16% |
| Content-Security-Policy | 1 / 44 | 2% |
| Permissions-Policy | 1 / 44 | 2% |
The strongest header — CSP — is used by exactly one site out of 44. CSP restricts script sources and shuts down a whole class of XSS attacks; its near-total absence among Russia's top sites is the single biggest systemic gap.
Grade distribution
- F — 25 sites (57%): no or almost no security headers.
- D — 16 sites (36%): one or two basic headers.
- C — 2 sites (5%).
- B — 1 site (2%).
- A — 0 sites.
93% of Russia's top sites score D or F. None reached A. This isn't a resources problem — banks and marketplaces have plenty — it's prioritization: security headers are high-ROI for minimal work (a few lines of Nginx config) yet stay off the checklist.
SSL/TLS — this part is healthy
The contrast is stark — certificate hygiene is exemplary.
- 49 of 50 sites (98%) served a valid certificate.
- Average time to expiry: 142 days.
- Minimum 21 days; zero certificates on the edge (≤14 days).
Auto-renewal (Let's Encrypt / commercial ACME) solved "we forgot to renew the cert." Headers are the next un-taken hill.
Why security headers matter
- CSP — restricts where scripts load from; breaks most XSS even when the code is vulnerable.
- HSTS — forces SSL/TLS проверку always, closing downgrade/SSL-strip attacks.
- X-Frame-Options / frame-ancestors — clickjacking defense.
- X-Content-Type-Options: nosniff — stops MIME SNI.
- Referrer-Policy — don't leak URLs to third parties.
# Nginx — a baseline set in 6 lines
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
add_header Content-Security-Policy "default-src 'self'" always; # start in Report-OnlyWhat a site owner should do
- Check your site with the Security scanner — get a grade and a list of missing headers in 10 seconds.
- Add the "easy" headers immediately (HSTS, nosniff, X-Frame-Options, Referrer-Policy) — they don't break the site.
- Roll out CSP via the CSP analyzer and
Content-Security-Policy-Report-Onlyfirst, then switch to enforce. - Put the site on monitoring so you learn if the grade drops after a release.
Why only 44 of 50 sites in the stats?
6 sites answered from behind a WAF/anti-bot that returns its own headers, not the origin's. To avoid skewing the data we computed percentages over the 44 sites with an analyzable response.
Is this a one-off snapshot or a recurring study?
A June 2026 snapshot. We plan to repeat it — security headers change with releases, and the trend is more interesting than the static picture.
Can I check my own site the same way?
Yes — the Security scanner uses the exact same engine and grading criteria as this study.
Why is CSP so rare?
CSP is harder to deploy than the other headers: you must enumerate every legitimate script/style source or functionality breaks. So teams defer it. Report-Only mode removes the risk and lets you roll out gradually.
Methodology. 50 publicly known top RU domains (e-commerce, banks, government, media, telecom, classifieds, travel). One homepage request each; six security headers analyzed with the Enterno.io engine (the same one behind the public Security scanner). 44 returned an analyzable response; 6 were behind a WAF (excluded from percentages). SSL: TLS handshake, days-to-expiry from the certificate. Date: June 2026. Reproducible — check any site in the sample yourself.