We Scanned 400+ Websites. Here's What We Found.

We built UNPWNED, a security scanner for web apps. Over the past few weeks, we scanned 400+ websites across startups, SaaS products, and side projects. Here's what the data told us. The Numbers 412 scans across 167 unique domains Average first-scan score: 65 out of 100 Only 2% scored an A on their first scan 58% scored a C, 23% scored D or F The Most Common Issues Issue % of Sites Affected DNSSEC not enabled 75% No rate limiting on API endpoints 70% Missing Content Security Policy 69% Weak CSP configuration 57% No cookie consent mechanism 48% Missing DMARC record (email spoofing risk) 47% No privacy policy page detected 40% Missing DKIM record 37% Missing HSTS header 34% Permissive CORS policy 29% What Surprised Us Almost half of all sites can be email-spoofed. 47% were missing DMARC records, which means anyone can send emails pretending to be from their domain. Your users could get a phishing email "from" you today. 70% had no API rate limiting. That means a single script could hammer