SaaS website security benchmarks — how cloud apps score

What they tend to get right

TLS is consistently modern. HSTS is widely deployed with includeSubDomains and increasingly preload. Marketing-site CSP is typically tight because there's no third-party tag-manager pressure. Email auth (SPF + DKIM + DMARC) is mature because transactional mail is a first-class concern.

Where they fall short

X-Frame-Options / frame-ancestors are inconsistent — many SaaS sites need to embed in customer dashboards but haven't tightened the policy to specific allowed parents. App subdomains often score lower than marketing domains because the CSP allowlist drifts as features ship. CORS misconfigurations on API subdomains are common.

Common findings in this sector

Findings that show up frequently across saas sites we’ve scanned, ranked by approximate prevalence.

• Weak CSP →

  ~55% of sites

  App-domain CSPs accumulate cruft as integrations are added

• X-Frame-Options missing →

  ~30% of sites

  Embed-friendly products often skip framing controls entirely

• Permissions-Policy missing →

  ~65% of sites

  Rarely set on either marketing or app domains

• Server version disclosed →

  ~25% of sites

  Vercel/Cloudflare-fronted sites obscure this; self-hosted leaks

• HSTS not preloaded →

  ~55% of sites

  HSTS deployed but not yet preload-eligible