Securing the Web: Analysis of HTTP Security Headers in Popular Global Websites

TL;DR

This study analyzes HTTP security headers across 3,195 popular websites, revealing widespread weak security practices, especially in healthcare sites, and emphasizes the need for improved HTTPS implementation and security policies.

Contribution

The paper provides a comprehensive analysis of HTTP security header implementation on a large, diverse set of global websites, highlighting prevalent security deficiencies and offering targeted recommendations.

Findings

55.66% of websites received an 'F' security grade

Healthcare websites scored the lowest with an average of 18.14

Most websites showed weak implementation of CSP, HSTS, and SRI

Abstract

The surge in website attacks, including Denial of Service (DoS), Cross-Site Scripting (XSS), and Clickjacking, underscores the critical need for robust HTTPS implementation-a practice that, alarmingly, remains inadequately adopted. Regarding this, we analyzed HTTP security headers across N=3,195 globally popular websites. Initially, we employed automated categorization using Google NLP to organize these websites into functional categories and validated this categorization through manual verification using Symantec Sitereview. Subsequently, we assessed HTTPS implementation across these websites by analyzing security factors, including compliance with HTTP Strict Transport Security (HSTS) policies, Certificate Pinning practices, and other security postures using the Mozilla Observatory. Our analysis revealed over half of the websites examined (55.66%) received a dismal security grade of 'F' and most websites scored low for various metrics, which is indicative of weak HTTP header implementation. These low scores expose multiple issues such as weak implementation of Content Security Policies (CSP), neglect of HSTS guidelines, and insufficient application of Subresource Integrity (SRI). Alarmingly, healthcare websites (n=59) are particularly concerning; despite being entrusted with sensitive patient data and obligations to comply with data regulations, these sites recorded the lowest average score (18.14). We conclude by recommending that developers should prioritize secure redirection strategies and use implementation ease as a guide when deciding where to focus their development efforts.