2026 Website Security Report: Data from 85 Indie Hackers
2026 Website Security Report: Data from 85 Indie Hackers
What are the most common website security vulnerabilities in 2026? Based on original research scanning 85 indie hacker websites, the most frequent security failures are missing HTTP security headers (80%), incomplete DNS email authentication like SPF and DMARC (40%), and exposed API secrets in client-side code (25%). These gaps leave fast-shipping startups highly vulnerable to XSS, phishing, and account takeover.The Research Methodology
In late 2025 and early 2026, we ran passive security analysis on 85 websites recently launched by indie hackers (sourced from Hacker News, Product Hunt, and Vercel deploys). The goal was to understand the actual security posture of developers who prioritize shipping speed over enterprise compliance.
The findings indicate that modern frontend frameworks (like Next.js and React) successfully mitigate some traditional vulnerabilities, but introduce entirely new classes of risk—particularly around secret exposure and rapid deployment defaults.
Finding 1: 1 in 4 Sites Expose Secrets in Client-Side Code
The most critical finding is that 25% of analyzed sites had potential secrets exposed in their publicly accessible JavaScript bundles or source maps.
Modern single-page applications (SPAs) bundle environment variables directly into static files. When developers incorrectly prefix a sensitive key (e.g., using \NEXT_PUBLIC_\ for a secret Stripe key or an administrative LLM API key), it becomes visible to anyone who views the source.
- Never prefix secret keys with \
PUBLIC\or \VITE_\. - Disable source maps in production unless strictly necessary.
- Scan your production site for exposed API keys before every major launch.
Finding 2: 4 in 5 Sites Missing Basic Security Headers
A staggering 80% of the sites lacked fundamental HTTP security headers such as Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), and X-Frame-Options.
While modern hosting platforms (Vercel, Netlify) provide excellent defaults, they do not automatically inject aggressive CSPs or HSTS max-age rules because those can break applications if misconfigured. Developers must opt-in to these protections.
The Fix:- Add a \
next.config.js\or \vercel.json\headers block. - Enforce \
Strict-Transport-Security\to guarantee HTTPS connections. - Implement a basic \
Content-Security-Policy\to mitigate Cross-Site Scripting (XSS).
Finding 3: 2 in 5 Sites Have Vulnerable DNS Email Auth
Despite the aggressive push by Gmail and Yahoo to enforce sender requirements in 2024 and 2025, 40% of the domains analyzed had missing or misconfigured SPF, DKIM, or DMARC records.
This means their domains can be easily spoofed by attackers to send phishing emails that appear perfectly legitimate, destroying domain reputation and causing legitimate transactional emails to land in spam folders.
The Fix:- Verify your domain's TXT records.
- Set up a baseline DMARC policy (\
v=DMARC1; p=none;\) to start monitoring abuse. - Run a free DNS Health Check to validate your alignment.
Conclusion
The "ship fast" ethos of 2026 is powerful, but it leaves a massive tail of security debt. You don't need a SOC2 audit to launch a side project, but you do need basic hygiene. Taking 5 minutes to validate your headers, DNS, and secret exposure can save you from a catastrophic weekend incident.
Run a free security audit on your site now Check your DNS health