Government website security benchmarks — how .gov sites score

What they tend to get right

Federal .gov sites have HSTS with preload, TLS 1.2+ enforced, and DMARC at p=reject — the result of explicit OMB and CISA directives (M-15-13, BOD 18-01). Most major federal sites use shared infrastructure (cloud.gov, login.gov) that delivers consistent baseline hardening.

Where they fall short

CSP adoption is uneven; many federal sites lack it entirely. State and local government sites lag the federal baseline by 15-25 points on average — they aren't bound by the same directives and often run on legacy infrastructure. Server banners frequently leak (IIS, Apache versions). Permissions-Policy is rare across the sector.

Common findings in this sector

Findings that show up frequently across government & public sector sites we’ve scanned, ranked by approximate prevalence.

• CSP missing →

  ~60% of sites

  Procurement cycles slow header rollout even at federal level

• Permissions-Policy missing →

  ~80% of sites

  Almost universally absent across .gov

• X-Powered-By exposed →

  ~35% of sites

  ASP.NET and PHP banners commonly leak on state/local sites

• Server version disclosed →

  ~40% of sites

  IIS/Apache versions visible on legacy state sites

• Weak CSP →

  ~30% of sites

  When present, CSP allowlists are often broad