We scan 819122 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.
40.4/100
Average score
100%
Email spoofable
84%
No DNSSEC
44%
Missing security headers
Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.
| Industry | Sites | Score ▲ | Unprotected | Spoofable | Pre-Consent | Grade distribution |
|---|---|---|---|---|---|---|
| Real Estate | 11979 |
|
36% | 100% | 22% |
D
F
|
| Hospitality | 110142 |
|
44% | 100% | 17% |
D
F
|
| NGO & Nonprofit | 11825 |
|
40% | 100% | 19% |
D
F
|
| Automotive | 35938 |
|
42% | 100% | 16% |
D
F
|
| pets | 3479 |
|
44% | 100% | 15% |
D
F
|
| Sports | 46273 |
|
45% | 100% | 16% |
D
F
|
| construction | 13347 |
|
49% | 100% | 13% |
D
F
|
| Education | 96799 |
|
39% | 100% | 20% |
D
F
|
| home-garden | 27075 |
|
42% | 100% | 15% |
D
F
|
| Logistics | 2218 |
|
36% | 100% | 16% |
D
F
|
| Travel | 23257 |
|
45% | 100% | 17% |
D
F
|
| culture | 29855 |
|
47% | 100% | 17% |
D
F
|
| Food & Delivery | 230315 |
|
48% | 100% | 13% |
D
F
|
| beauty | 30136 |
|
49% | 100% | 12% |
D
F
|
| Fashion | 28266 |
|
36% | 100% | 18% |
D
F
|
| Media | 4112 |
|
35% | 100% | 24% |
D
F
|
| Pharma | 13715 |
|
37% | 100% | 14% |
D
F
|
| Healthcare | 51501 |
|
45% | 100% | 14% |
D
F
|
| professional-services | 15474 |
|
45% | 100% | 16% |
D
F
|
| Energy | 1777 |
|
30% | 100% | 17% |
D
F
|
| Adult | 330 |
|
42% | 100% | 11% |
D
F
|
| Technology | 17820 |
|
42% | 100% | 17% |
D
F
|
| Insurance | 2988 |
|
31% | 100% | 13% |
D
F
|
| E-Commerce | 4371 |
|
21% | 100% | 16% |
D
F
|
| Transport | 490 |
|
26% | 100% | 18% |
D
F
|
| Telecom | 371 |
|
20% | 100% | 21% |
D
F
|
| Government | 1616 |
|
23% | 99% | 24% |
D
F
|
| Banking | 2980 |
|
15% | 100% | 14% |
D
F
|
| Gambling | 325 |
|
30% | 99% | 11% |
D
F
|
| Regulatory | 347 |
|
24% | 100% | 34% |
D
F
|
Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC.
Average security score by country — hover for details, click to explore.
/100 · sites
Security posture by country — click a country to see its detailed breakdown.
Austria
33662 sites
Belgium
23394 sites
Bulgaria
3936 sites
Croatia
5727 sites
Cyprus
1261 sites
Czech Republic
17464 sites
Denmark
15415 sites
Estonia
3290 sites
European Union
193 sites
Finland
12506 sites
France
87440 sites
Germany
226120 sites
Greece
7755 sites
Hungary
7461 sites
Iceland
1226 sites
Ireland
10228 sites
Italy
52998 sites
Latvia
2149 sites
Liechtenstein
179 sites
Lithuania
3705 sites
Luxembourg
1650 sites
Malta
765 sites
Netherlands
57422 sites
Norway
9437 sites
Poland
42453 sites
Portugal
7241 sites
Romania
6258 sites
Slovakia
10674 sites
Slovenia
3094 sites
Spain
36085 sites
Sweden
11032 sites
Switzerland
28542 sites
United Kingdom
88359 sites
Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.
Scan your website nowThe most common security gaps across 819122 European websites — and the regulations they violate.
44%
Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.
100%
Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.
84%
DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.
Explore specific dimensions of Europe's web landscape in detail.
How we scan, what we measure, how scores are computed.
Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.
HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy
Key strength, signature algorithm, chain depth, TLS version, forward secrecy
HTTP-to-HTTPS redirect for all visitors
SPF, DKIM (key strength), DMARC (policy enforcement)
DNSSEC signing, CAA records, DoH consistency, DANE/TLSA
Vulnerability disclosure contact per RFC 9116
Inbound email TLS enforcement (enforce vs. testing mode)
SMTP TLS failure reporting endpoint
No server version disclosure, no X-Powered-By, restricted CORS
Data based on automated weekly scans of publicly accessible websites.
No individual site names are disclosed. All statistics are anonymised by industry.
Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.
Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.
This data is also available as JSON via the Benchmark API.