RSS

Top 1 Million Analysis – June 2026: Ten Years of Web Security

moebrowne1 pts0 comments

Top 1 Million Analysis – June 2026: Ten Years of Web Security

Sponsored by: Report URI - Magecart lives in the browser. Make the browser tell you when something changes.

It's been a long time since the last one of these! The previous Top 1 Million Analysis was way back in June 2022, and a lot has happened since then. But there's a much bigger reason to dust off the crawler and publish another report: this year marks ten years since I started crawling the top 1 million sites! The very first crawl went out in 2016, and a decade later it feels like exactly the right moment to take stock of how far web security has come — and where it's quietly going backwards.<br>There's so much to cover this year that I've split the report into two parts. This first part is the anniversary retrospective and the broad state of the web — HTTPS, the security headers, cookies, email and DNS security, and more. Part two is going to be a dedicated deep-dive into the cryptography side of things with TLS, certificates, certificate lifetimes, the arrival of post-quantum cryptography, and more. That will be published tomorrow.

Introduction<br>Over a decade ago, I started measuring how the web was adopting some of the security features that were, at the time, still relatively new or uncommon. Things like HTTPS redirects, HSTS, CSP, security headers, cookie flags, and other browser-side protections were gradually becoming part of the modern web security toolkit. A decade later, the picture looks very different. Some of those technologies are now firmly established, others have struggled to gain meaningful adoption, and in many cases the presence of a feature doesn’t necessarily mean it has been deployed well. In this post, I’m taking a fresh look at the Tranco Top 1 Million to see how far we’ve come, where progress has stalled, and what the current state of web security really looks like.

The Crawl<br>The methodology is the same as it's always been: take the Tranco Top 1 Million list, request each site over HTTP, follow the redirects, and record everything about the response — security headers, the TLS handshake, the certificate, a bunch of DNS lookups, and everything else I could think of. Of the million sites on the list, 819,002 responded this time, and everything below is measured against that responding population.<br>Two things worth flagging up front. First, the gap: four years is a long time (my bad), so where it's useful I've compared back to June 2022, but I've also leaned on the full historical dataset for the ten-year view. Second, I took the opportunity to substantially expand what the crawler measures for this anniversary edition — there are a whole set of new metrics here that have never appeared in one of these reports before (cookie security attributes, DMARC/SPF, cross-origin isolation, ECH, post-quantum cryptography and more). More on those as we go, and the big hitters will be in part two.

A decade in numbers<br>Before we dig into individual metrics, here's the headline story of ten years of web security, told through the three metrics with the longest history:

Metric<br>Aug 2015<br>Mar 2020<br>Jun 2022<br>Jun 2026

Redirect to HTTPS<br>62,043<br>528,498<br>589,979<br>658,038

HSTS<br>11,308<br>132,466<br>188,492<br>252,846

CSP<br>1,365<br>51,986<br>79,549<br>170,057

That's the encouraging part — the foundational stuff is still climbing. HTTPS has gone from a minority of sites to the overwhelming default, HSTS continues its steady climb, and CSP has more than doubled again since 2022. The web really is more secure than it was a decade ago. But as we'll see, several of the metrics I've tracked for years have plateaued or started to slide, and the most interesting story this year is in the brand-new things that didn't even exist last time.

The biggest movers of the decade<br>Ten years is long enough to see some genuinely enormous swings. Measured from the very first crawl in 2015, the biggest risers are:

Metric<br>Aug 2015<br>Jun 2026<br>Change

Content-Security-Policy<br>1,365<br>170,057<br>+12,360%

CSP-Report-Only<br>211<br>9,979<br>+4,630%

HSTS<br>11,308<br>252,846<br>+2,140%

Redirect to HTTPS<br>62,043<br>658,038<br>+960%

X-Content-Type-Options<br>44,315<br>311,659<br>+603%

X-Frame-Options<br>55,042<br>327,918<br>+496%

CSP going from barely a thousand sites to 170,000+ — a 125× increase — is the standout of the decade, without a doubt. It's great to see it finally getting the attention it deserves.<br>And the notable fallers and reversals, mostly more recent:<br>EV certificates: 15,604 (2020 peak) → 4,186, a slow-motion collapse. If you're new to the Web, you may not have seen an EV certificate in action as their UI was removed back in 2019 (Gone forEVer) and I've been tracking their decline since long before that (Sites that used to have EV). It's weird to see that EV is still most popular in the highest ranked sites, I guess they have the money to burn?

A quick note if you've not read one of these crawler reports before, this is the typical form I present the graphs in. We have the top 1 million sites on the x-axis, in groups...

security million years sites decade time

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.