News & media website security benchmarks — how publishers score

What they tend to get right

TLS protocols and certificates are universally up-to-date thanks to CDN defaults (Cloudflare, Fastly, Akamai). Email-auth records are mature because newsletter products depend on inbox deliverability. Cookies on subscriber-portal subdomains are typically protected.

Where they fall short

CSP is the lowest-scoring category sector-wide. X-Frame-Options is often skipped to support widget embedding. Permissions-Policy is rare. Many publishers ship server banners that disclose their CMS (WordPress, Drupal, custom) which narrows exploit research. Mixed-content warnings on legacy article pages are not uncommon.

Common findings in this sector

Findings that show up frequently across news & media sites we’ve scanned, ranked by approximate prevalence.

• CSP missing →

  ~85% of sites

  Ad-tech requirements make tight CSP commercially impractical

• X-Frame-Options missing →

  ~50% of sites

  Widget-embeddable content often skips framing controls

• X-Powered-By exposed →

  ~40% of sites

  WordPress and Drupal headers commonly leak

• Server version disclosed →

  ~55% of sites

  CMS-platform banners stay visible by default

• DMARC not enforcing →

  ~25% of sites

  Newsletter senders often stay at p=none indefinitely