Website security should be at the forefront of any website during development and on-going maintenance, it shouldn’t be an afterthought. A step in the right direction is implementing basic HTTP security headers to mitigate security vulnerabilities. This can help prevent Cross-Site Scripting, Clickjacking, Information disclosure and more.
A brilliant free tool to test your website HTTP security headers is Scott Helme’s Security Headers website. According to their stats only 12.3% of scanned sites achieved grades of A or A+, while 87.7% required improvement with grades between B and F.
I decided to take a look at the Premier League club websites to see how they fare when it comes to HTTP security headers:
| Position | Club | Grade |
|---|---|---|
| 1 | West Ham | A |
| 2 | Arsenal | C |
| 3 | Aston Villa | D |
| 4 | Brentford | D |
| 5 | Brighton and Hove Albion | D |
| 6 | Chelsea | D |
| 7 | Crystal Palace | D |
| 8 | Everton | D |
| 9 | Manchester City | D |
| 10 | Manchester United | D |
| 11 | Newcastle | D |
| 12 | Leicester City | D |
| 13 | Southampton | D |
| 14 | Tottenham Hotspur | D |
| 15 | Watford | D |
| 16 | Wolverhampton Wanderers | D |
| 17 | Burnley | F |
| 18 | Norwich | F |
| 19 | Leeds | F |
| 20 | Liverpool | F |
Conclusion
West Ham emerged as the clear leader, demonstrating serious commitment to website security. Arsenal achieved a respectable standing, though improvement remains possible.
The four clubs in the “relegation zone” (Burnley, Norwich, Leeds, and Liverpool) require urgent attention to their security headers. The remaining thirteen clubs, including Manchester City, Manchester United, Chelsea, and Tottenham Hotspur, should prioritise enhancement.
Overall 18 of the 20 Premier League clubs should really consider improving their website security headers to achieve best security practices.
For implementation guidance, check out my article on how to set-up HTTP Security Headers in ASP.NET Core.