I Scanned the Internet's Top 500 Websites for Security — Only 1% Got an A

I built ContrastScan — an open-source security scanner written in C that grades websites A-F across 11 modules: SSL/TLS, HTTP headers, DNS email authentication, CORS, cookies, CSP, and more. Max score: 100 points. I took the Tranco top 500 most visited domains, filtered out infrastructure-only entries (CDN nodes, DNS servers, API backends with no web frontend), and scanned the remaining 304 websites that had actual web frontends. The average score was 61 out of 100. A D+. The Numbers Grade Sites % A (90-100) 3 1% B (70-89) 57 19% C (55-69) 99 33% D (40-54) 126 41% F (0-39) 19 6% 3 out of 304 scored an A. The most common grade is D — 41% of the internet's biggest sites live there. Who's Winning Site Score Grade discord.com 92 A media.net 92 A taboola.com 91 A stripe.com 88 B indeed.com 88 B openai.com 87 B paypal.com 85 B salesforce.com 84 B github.com 82 B slack.com 81 B Discord leads — TLS 1.3, all security headers, full SPF/DKIM/DMARC, tight CSP. Stripe and PayPal are right behind, w