CQwerty

Blog

We scanned the 50 biggest SaaS platforms. 89% nail SSL. Almost nobody gets HTTP headers right.

← Back to blog
2026-04-18·7 min readDataResearchHTTP Headers

Why we did this

Every time we scan a small business domain we see the same pattern: the basics like SSL work, but HTTP security headers are almost always missing. We wanted to see whether that pattern holds at the top of the market, or whether big SaaS companies have already cleaned up.

So we ran our public-signal scanner against 50 popular SaaS, dev-tool, and ecommerce platforms on 2026-04-18 and aggregated the results.

The ground rules

  • Only publicly observable signals. SSL certificate, DNS records (DMARC/SPF/DKIM), HTTP response headers on the apex domain. Nothing that needs a login or special access.
  • Apex domain only. We scanned example.com, not app.example.com. This matters, a lot of the big platforms set stricter headers on their app subdomain than their marketing site.
  • 45 of 50 scanned successfully. 5 had DNS or connectivity edge cases we did not chase down.

    • The full methodology and the raw scanner are at cqwerty.com/tools/headers-checker, every check in this post is available as a free tool you can run on your own domain.

    Finding 1: SSL is basically solved at the top of the market

  • 89% (40/45) got an A+ SSL grade.
  • 89% (40/45) negotiate TLS 1.3 on the default connection.
  • Only one domain (GitLab) has a cert expiring in the next 30 days. That is not necessarily a problem, auto-renewal usually kicks in 14 days out, but it is the only one we would watch.

    • If you run an SMB website and your SSL grade is not A or A+, your hosting provider is the thing to look at first. Every major CDN/host (Cloudflare, Vercel, Netlify, AWS CloudFront) gets this for free.

    Finding 2: DMARC is taking hold, but not universal

  • 60% (27/45) run DMARC p=reject, the strongest policy.
  • 24% (11/45) run p=quarantine, a middle setting, often a stepping stone to reject.
  • 16% (7/45) either have no DMARC record or p=none (monitoring only).

    • The 16% with weak or missing DMARC is more surprising than we expected. Among that group are Shopify, Amplitude, PostHog, and Help Scout, all of whom likely send their real transactional email from a different subdomain, but the apex domain is still spoofable.

    That matters because an attacker can send phishing emails that look like they come from billing@shopify.com and big mail providers will let them through. Locking down the apex with p=reject costs one DNS record and prevents that whole category of abuse.

    Finding 3: HTTP security headers are the weakest link

    This is where the pattern really shows up. The header-grade distribution is bimodal:

  • 38% (17/45) scored A or A+ on HTTP security headers.
  • 42% (19/45) scored C, D, or F.

    • And look at the prevalence of specific missing headers:

    HeaderMissing on
    Permissions-Policy88% (40/45)
    Referrer-Policy60% (27/45)
    X-Frame-Options55% (25/45)
    Content-Security-Policy44% (20/45)
    X-Content-Type-Options40% (18/45)
    Strict-Transport-Security (HSTS)13% (6/45)

    HSTS is the only header that has clearly won, most of the big players ship it. Everything else is a coin flip.

    The one to take away from this list is Content-Security-Policy. CSP is the single most effective defence against cross-site scripting (XSS), and 44% of the biggest SaaS platforms on earth do not set it on their marketing/apex domain. If they are not doing it, small businesses almost certainly are not either, and the risk is the same.

    Our guide: Content Security Policy (CSP) Explained for Web Developers.

    Finding 4: Eight platforms nailed everything

    These eight scored A+ on SSL AND DMARC p=reject AND A/A+ on HTTP headers:

  • Trello
  • Linear
  • Airtable
  • Bitbucket
  • Render
  • Heroku
  • HubSpot
  • Discord

    • That is only 18% of our sample. Being best-in-class on public signals is still rare.

    Worth noting: these are not the biggest names on our list. Stripe, GitHub, Slack, and Notion are all large companies with strong security teams, they just have more legacy weight in their HTTP headers than the newer tools.

    Finding 5: Four platforms stood out as unusually weak

    These had at least two concurrent gaps (weak DMARC AND weak HTTP headers):

  • shopify.com, DMARC missing on apex, headers C
  • amplitude.com, DMARC missing on apex, headers C
  • posthog.com, DMARC missing on apex, headers D
  • helpscout.com, DMARC p=none, headers D

    • We emailed each of them a link to their scan before publishing this post. All of these are companies we respect, this is meant as a nudge, not a takedown.

    What small businesses should take from this

  • If SSL is not A/A+, change hosts. The infrastructure has caught up; there is no reason to live with a B grade in 2026.
  • Set DMARC `p=reject` on the apex even if you do not email from it. This closes the spoofing hole at minimal cost.
  • Add the four easy headers today. HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, each is a one-line nginx or middleware change and collectively they move you from F to B.
  • Do the work for CSP. It is a genuine engineering project, but it is what separates the A-grade sites from the B-grade sites. Start with a report-only CSP, watch the violations, iterate.

    • Run the same checks on your own site

    We built a free 18-point security audit that returns in under two minutes. The same scanner produced the numbers in this post. No signup needed.

    *Data collected 2026-04-18. Methodology: public HTTP(S), DNS, and SSL signals observed from Melbourne, AU. 50 candidate domains, 45 returned a complete result. We will re-run this scan every quarter.*

    ShareTwitterLinkedInEmailRSS

    Ready to check your domain?

    Run all 18 security checks in 2 minutes. Free, no signup required.

    Scan your own domain in 2 minutes