I Reviewed 120 Websites: These Security Mistakes Kept Showing Up

Source: Dev.to

Overview

I researched how small businesses and early‑stage startups handle basic web security by examining 120 different websites with explicit consent from their owners. The study combined automated tools with simple manual checks, revealing several recurring patterns.

Key Findings

• Missing HTTP security headers – About 68 % of the sites lacked at least one recommended header (e.g., those governing content‑type handling or framing protections).
• Exposed server or framework information – Roughly 42 % revealed unnecessary details, often through default configurations that had never been hardened.
• Sub‑optimal HTTPS/TLS setups – Approximately 23 % had TLS configurations that did not fully align with current best practices, such as supporting outdated protocols or omitting protections like HSTS.

In many cases, a single site exhibited multiple issues simultaneously, compounding the overall risk.

Common Issues

These problems are not advanced vulnerabilities; they stem from basic misconfigurations that typically arise during the initial deployment of a website and persist when developers stop maintaining the code. A frequent misconception is treating security as a one‑time task completed at launch rather than an ongoing responsibility as the site evolves.

Conclusion

The recurring nature of these oversights motivated the creation of my agency, Secuiru, which focuses on detecting and correcting routine security misconfigurations early—before they develop into serious problems.