Skip to content
Pricing RU Sign In
RU

Security Headers in Runet 2026

By · Updated
TL;DR:

Security headers analysis based on Enterno.io Security Scanner data for Q1 2026: HSTS is enabled by 64% of sites (mostly via Cloudflare), CSP only 18%, X-Frame-Options 71%, Permissions-Policy 9%. Average security grade — B. Top causes for C/D: missing HSTS, weak CSP or unsafe-inline, leaking Server header.

Try it now — free →

Methodology

Headers checked via Enterno.io Security Scanner — sample of ~50,000 public HTTPS sites in Runet. Grade A-F weighted: HSTS (20%), CSP (25%), X-Frame-Options (15%), X-Content-Type-Options (10%), Referrer-Policy (10%), Permissions-Policy (5%), cookies (15%).

Header coverage

HeaderCoverage
HSTS (Strict-Transport-Security)64%
X-Frame-Options71%
X-Content-Type-Options56%
Content-Security-Policy18%
Referrer-Policy31%
Permissions-Policy9%
Cross-Origin-*14%

CSP remains the most-underused header — only 18% deploy it, and ~40% of those rely on unsafe-inline.

Grade distribution

Grade%
A+7%
A21%
B35%
C24%
D-F13%

Top issues

  1. Missing HSTS (36% of sites) — no Strict-Transport-Security, vulnerable to downgrade attack.
  2. unsafe-inline in CSP (~40% of the 18% with CSP) — creates false sense of security.
  3. Leaking Server header (52% of sites) — nginx/1.x.y + Apache version enables targeted CVE exploits.
  4. Missing Permissions-Policy (91%) — camera/microphone/geolocation default-allowed.
  5. Cookies without Secure/HttpOnly/SameSite (43% of sites with login).

Quick fixes

  1. In nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  2. Configure CSP with nonce (not unsafe-inline). Example + validator — /en/csp.
  3. Hide Server header: server_tokens off; in nginx.
  4. Permissions-Policy: camera=(), microphone=(), geolocation=().
  5. Recheck via Security Scanner — should hit grade A.

Related guides

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Related tools

SSL CheckPageSpeedMixed ContentHealth Score

Learn more

How-to

Glossary

Research

Alternatives

Frequently Asked Questions

Is the data current?

Data collected in Q1 2026. Updated quarterly.

Can I cite this?

Yes, with attribution to Enterno.io.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation