Daily monitoring · 476 domains

The Fortune 500 Security Report

We continuously scan the public security configuration of the largest U.S. companies. This page tracks who's improving, who's slipping, and how the cohort as a whole is shifting on TLS, headers, and email auth.

Updated May 29, 2026 · 30-day rolling window

30-day trends

The cohort, day by day.

Each chart is the percentage of Fortune 500 domains shipping that feature, sampled daily for the last 30 days.

TLS 1.3 adoption

Domains preferring TLS 1.3

87.2%

+0.2pp · 30d

HSTS adoption

Domains enforcing HSTS

44.1%

-0.9pp · 30d

Content-Security-Policy

Domains shipping CSP

16.4%

-1pp · 30d

X-Frame-Options

Clickjacking protection

24.6%

-0.6pp · 30d

DMARC

Email auth: DMARC record

81.9%

+0.2pp · 30d

DNSSEC

DNSSEC enabled at the registrar

17.2%

+0.4pp · 30d

Today's leaders

The best and worst graded right now.

Same grading formula we use on every individual scan: weighted across SSL, HSTS, CSP, headers, TLS strength, cookie security, DMARC, DKIM, DNSSEC, and more.

Top 5 · highest score

1

discord.com 98 A

2

detik.com 98 A

3

gizmodo.com 98 A

4

m.me 98 A

5

youtube.com 96 A

Bottom 5 · lowest score

1

abcnews.go.com 52 D

2

narod.ru 54 D

3

huawei.com 54 D

4

sina.com.cn 56 C

5

theglobeandmail.com 56 C

Where would your domain rank?

Run a free scan →

Last 30 days

Who moved?

Comparing each domain's current scan to its scan from ~30 days ago. 11 domains changed at least one security feature in that window.

Domains changed

11

Features added

+8

Features lost

−13

engadget.com C

May 29

HSTS: on → off CSP: on → off X-Frame-Options: on → off WAF detection: off → on

aol.com C

May 29

HSTS: on → off CSP: on → off X-Frame-Options: on → off

dreamstime.com C

May 29

HSTS: on → off CSP: on → off X-Frame-Options: on → off

ft.com C

May 29

HSTS: on → off CSP: on → off WAF detection: off → on

people.com A

May 29

CSP: off → on X-Frame-Options: off → on

justjared.com C

May 29

WAF detection: off → on TLS version: TLSv1.2 → TLSv1.3

detik.com A

May 29

TLS version: TLSv1.2 → TLSv1.3 TLS strength: Medium → Strong

washingtonpost.com C

May 29

CSP: on → off WAF detection: off → on

weather.com C

May 29

WAF detection: on → off

standard.co.uk B

May 29

HSTS: off → on

imageshack.us B

May 29

HSTS: off → on

Track your own domain

Get the same daily monitoring on your site.

Free scan, full report, no signup. Add scheduled monitoring to get alerted when your security config changes — the same way we caught every move on this page.

Scan your site free →