Security posture snapshot for March 2026 across 61078 monitored European websites.
49.0/100
Average score
71%
Email spoofable
86%
No DNSSEC
71%
Missing security headers
Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.
| Industry | Sites | Score ▲ | Unprotected | Spoofable | Insecure | Grade distribution |
|---|---|---|---|---|---|---|
| construction | 129 |
38.5
|
87% | 79% | 16% | |
| professional-services | 93 |
41.7
|
80% | 63% | 9% | |
| pets | 47 |
42.9
|
72% | 57% | 17% | |
| beauty | 477 |
43.0
|
76% | 80% | 10% | |
| home-garden | 476 |
44.3
|
70% | 75% | 9% | |
| Hospitality | 5194 |
44.8
|
79% | 81% | 9% | |
| Food & Delivery | 12054 |
45.1
|
77% | 81% | 8% | |
| culture | 902 |
45.5
|
73% | 77% | 9% | |
| Sports | 3160 |
45.9
|
80% | 81% | 8% | |
| Healthcare | 3147 |
46.8
|
78% | 77% | 10% | |
| Automotive | 2781 |
47.1
|
73% | 78% | 10% | |
| Travel | 1623 |
47.2
|
75% | 75% | 9% | |
| Real Estate | 1745 |
47.8
|
78% | 75% | 8% | |
| Education | 4352 |
48.4
|
72% | 77% | 7% | |
| NGO & Nonprofit | 1876 |
48.7
|
80% | 76% | 8% | |
| Fashion | 2520 |
49.1
|
65% | 76% | 7% | |
| Adult | 298 |
49.5
|
78% | 73% | 6% | |
| Logistics | 955 |
49.5
|
76% | 68% | 7% | |
| Pharma | 3517 |
49.8
|
62% | 69% | 6% | |
| Media | 2481 |
52.0
|
78% | 59% | 2% | |
| Energy | 934 |
53.3
|
65% | 59% | 8% | |
| Insurance | 1208 |
54.2
|
63% | 60% | 7% | |
| Gambling | 282 |
54.7
|
68% | 49% | 10% | |
| Technology | 2340 |
55.1
|
64% | 50% | 6% | |
| E-Commerce | 4265 |
55.2
|
65% | 46% | 5% | |
| Transport | 464 |
55.9
|
59% | 49% | 7% | |
| Regulatory | 339 |
56.9
|
53% | 53% | 6% | |
| Telecom | 368 |
57.1
|
57% | 47% | 7% | |
| Government | 1395 |
58.1
|
54% | 52% | 6% | |
| Banking | 1655 |
62.6
|
32% | 48% | 4% |
Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC. Insecure = no HTTPS redirect.
The most common security gaps across 61078 European websites — and the regulations they violate.
71%
Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.
71%
Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.
86%
DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.
Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.
Scan your website nowThis data is also available as JSON via the Benchmark API.