Analysis of the Alexa Top 1M sites (April 2019)

Prior to the release of the Mozilla Observatory in June of 2016, I ran a scan of the Alexa Top 1M websites. Despite being available for years, the usage rates of modern defensive security technologies was frustratingly low. A lack of tooling combined with poor and scattered documentation had led to minimal awareness around countermeasures such as Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and Subresource Integrity (SRI).

Since then, a number of additional assessments have done, including in October 2016, June 2017, and February 2018. All three surveys demonstrated clear and continual improvement in the state of web security. As a year has gone by since the last survey, it seemed like the perfect time to give the world wide web another assessment.

April 2019 Scan

Technology February 2018 April 2019 % Change
(Feb. 2018)
% Change
Content Security Policy (CSP) .022%2
Cookies (Secure/HttpOnly)4 8.97% 10.79% +20% +474%
  — Cookies (SameSite)4 .514%
Cross-origin Resource Sharing (CORS)5 96.89% 97.57% +.70% +4.0%
HTTPS 54.31% 71.67% +32% +142%
HTTP → HTTPS Redirection 21.46%6
Public Key Pinning (HPKP) 1.07% 1.73% +62% +302%
  — HPKP Preloaded8 0.70% 1.73% +141% +308%
Strict Transport Security (HSTS)9 6.03% 8.68% +44% +396%
  — HSTS Preloaded8 .631% .570% -10% +261%
Subresource Integrity (SRI) 0.182%11 0.770%11 +323% +5033%
X-Content-Type-Options (XCTO) 11.72% 16.27% +38% +163%
X-Frame-Options (XFO)12 12.55% 16.42% +31% +140%
X-XSS-Protection (XXSSP)13 10.36% 11.74% +13% +133%
Number of sites successfully scanned: 976,431

The overall growth in adoption continues to be encouraging, particularly the rise in the HTTPS and redirections to HTTPS. Overall, an additional 170,000 sites on the Alexa Top 1M now support HTTPS and about 190,000 of the top million websites have decided to do so automatically by redirecting to their HTTPS counterpart.

Subresource Integrity has also seen a sharp increase in uptake, as more and more libraries and content delivery networks work to make its usage a simple copy-and-paste operation. We've also see X-Content-Type-Options gain signicantly increased usage, particularly given that its usage enables cross-origin read blocking and helps protect against side-channel attacks like Meltdown and Spectre.

While the usage of Content Security Policy has continued to grow, it seems to be slowing down a bit. Tools like the Mozilla Laboratory make policy generation a lot easier, but it still remains extremely difficult to retrofit CSP to old and sprawling websites like so many of the top million.

Lastly, whether a result of policy changes in how the HTTP Strict Transport Security preload list is administered or some weird bug in my code, the percentage of the Alexa Top 1M contained in the preload list fell slightly. Oddly enough, of the 20,105 sites that set preload, only 5,540 of them are actually preloaded.

Mozilla Observatory Grading

Progress continues to be made amongst the Alexa Top 1M websites, but the vast majority still do not use Content Security Policy, Strict Transport Security, or Subresource Integrity. When properly used, these technologies can nearly eliminate huge classes of attacks against sites and their users, and so they are given significant weight in Observatory grading.

Here are the overall grades changes over the last year. Please keep in mind that what is being tested now isn't the same as what was being tested three years ago. An A+ in April 2016 was considerably easier to acquire than an A+ is now.

Grade April 2016 October 2016 June 2017 February 2018 April 2019 % Change
  A+ .003% .008% .013% .018% .028% +58%
A .006% .012% .029% .011% .014% +26%
B .202% .347% .622% 1.08% 1.48% +37%
C .321% .727% 1.38% 2.04% 1.82% -11%
D 1.87% 2.82% 4.51% 6.12% 4.62% -24%
F 97.60% 96.09% 93.45% 90.73% 92.03% +1.43%

It's interesting to notice growth at both the top and the bottom. Over the last year, Observatory tests have gotten more difficult, particularly with regards to loading JavaScript over protocol-independent URLs such as this:

<script src="//">

As a result, the bifurcation in scores likely indicates that more sites have decided to take web security seriously while others at the tail have fallen further into failure.

The Mozilla Observatory recently passed an important milestone of 10 million scans and has now helped over 175,000 websites improve their web security.

That's a big number, but I would love to see it continue to grow. So please share the Observatory so that the web can keep getting safer. Thanks so much!


  1. Since April 2016
  2. Allows 'unsafe-inline' in neither script-src nor style-src
  3. Allows 'unsafe-inline' in style-src only
  4. Amongst sites that set cookies
  5. Disallows foreign origins from reading the domain's contents within user's context
  6. Redirects from HTTP to HTTPS on the same domain, which allows HSTS to be set
  7. Redirects from HTTP to HTTPS, regardless of the final domain
  8. As listed in the Chromium preload list
  9. max-age set to at least six months
  10. Percentage is of sites that load scripts from a foreign origin
  11. Percentage is of sites that load scripts
  12. CSP frame-ancestors directive is allowed in lieu of an XFO header
  13. Strong CSP policy forbidding 'unsafe-inline' is allowed in lieu of an XXSSP header

[Category: Security] [Tags: Alexa, Cookies, CORS, CSP, HPKP, HSTS, Observatory, HTTPS, Redirection, SRI, XCTO, XFO, XXSSP]