惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

www.infosecurity-magazine.com
www.infosecurity-magazine.com
D
DataBreaches.Net
T
Tailwind CSS Blog
M
MIT News - Artificial intelligence
Stack Overflow Blog
Stack Overflow Blog
F
Full Disclosure
V2EX - 技术
V2EX - 技术
N
News and Events Feed by Topic
Help Net Security
Help Net Security
L
LangChain Blog
Y
Y Combinator Blog
宝玉的分享
宝玉的分享
Google Online Security Blog
Google Online Security Blog
P
Proofpoint News Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Blog of Author Tim Ferriss
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
B
Blog RSS Feed
N
Netflix TechBlog - Medium
N
News | PayPal Newsroom
TaoSecurity Blog
TaoSecurity Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V
Vulnerabilities – Threatpost
B
Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园_首页
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
AI
AI
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cyberwarzone
Cyberwarzone
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
G
GRAHAM CLULEY
Vercel News
Vercel News
罗磊的独立博客
MyScale Blog
MyScale Blog
Last Week in AI
Last Week in AI
博客园 - 司徒正美
C
CERT Recently Published Vulnerability Notes
GbyAI
GbyAI
Scott Helme
Scott Helme
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Troy Hunt's Blog
A
About on SuperTechFans
P
Privacy International News Feed

Comparitech

How to watch McGregor vs Holloway 2 (UFC 329) from anywhere Medical billing firm MCBS warns 300,000+ patients of data breach - Comparitech Ransomware Roundup: H1 2026 stats on attacks, ransoms, and active gangs - Comparitech Colorado Health Network warns 68,000+ people of data breach that leaked SSNs, credit cards, and medical records - Comparitech Middletown, OH warns 123,000+ people of data breach that leaked SSNs, financial and medical info - Comparitech DeGoogling your life: What is it and how do you do it? How to opt out of Meta AI data collection - Comparitech Is CurseForge safe? Common risks and how to mod safely - Comparitech Cybercriminals say they hacked New South Wales Rural Fire Service - Comparitech Grandview School District warns 9,000+ people of data breach 21 months later - Comparitech Which industry & country has the worst email security? An analysis of 5,800+ domains for SPF, DMARC, DKIM & MTA-STS protocols - Comparitech Kootenai County, ID warns residents of government data breach that leaked personal info - Comparitech What is Kik? Is it safe for kids? - Comparitech Cybercriminals say they hacked Reynella East College - Comparitech Bellflower Unified Schools warns students of data breach that leaked SSNs - Comparitech What are location services and how do they work? - Comparitech How to bypass Xbox age verification - Comparitech What is a Minecraft dedicated IP? Do you need one? The best Discord alternatives in 2026 - Comparitech How to watch UFC Freedom 250: Stream UFC White House online Taos Mountain Casino warns of data breach that leaked SSNs Cybercriminals give Delano Public Schools two weeks to pay ransom How to fix ‘Your connection is not private’ in Chrome Plaza Home Mortgage warns 138,000 people of data breach that leaked SSNs How to watch the NBA Finals live online from anywhere Cybercriminals take credit for Singing River Health System data breach How Spammers Are Hiding Behind Google and the New York Times Ransomware roundup: May 2026 Iowa hospital warns 24,000+ people of data breach that leaked SSNs, medical and financial info 80K+ people notified of data breach at Louisiana university that leaked SSNs & bank info Finance firm IMA warns 525,000+ people of data breach Auto lender IAC warns 79,000+ people of data breach that leaked SSNs Sandstone, MN says SSNs and financial info compromised in ransomware data breach Las mejores herramientas de gestión de Active Directory Die besten Active-Directory-Management-Tools I Migliori Strumenti di Gestione di Active Directory Las mejores herramientas de gestión de logs Die besten Log-Management-Tools I migliori strumenti di log management Watching You, Funded by You: Number of CCTV Cameras by UK Council & Police Force Las mejores herramientas SIEM para alertas de seguridad automatizadas Die besten SIEM-Tools für automatisierte Sicherheitswarnungen I migliori strumenti SIEM per gli avvisi di sicurezza automatizzati Software maker warns 200,000 Frost Bank customers in Texas of data breach Oregon employment firm notifies 142,000+ people of two data breaches claimed by ransomware gangs Cybercriminals say they hacked Harrison County, WV commission, demand ransom Cybercriminals say they breached AdvancedHealth, Tennessee clinic confirms Fluke Corp notifies 18,000+ people of data breach that leaked SSNs What is Token-Based Authentication? Tokens Explained Western Orthopaedics warns 113,000+ people of data breach that leaked SSNs, credit cards, and medical info What is ARP? ARP protocol explained What is symmetric encryption? Crunchyroll VPN not working? Fix buffering, errors & region blocks American Lending Center notifies 123,000+ people of data breach that leaked SSNs How to watch Oleksandr Usyk vs Rico Verhoeven online Cybercriminals say they hacked CarePoint Health, stole data Ransomware gang claims attack and data theft from UK city school Horizon Media reports data breach of SSNs, cybercriminals take credit Claude VPNs (and how to use Claude safely) What is GhostPairing on WhatsApp? What is a prompt injection attack? Where do leaked passwords end up? A statistical analysis of the dark web’s credential pipeline Ransomware roundup: April 2026 Suffolk, VA warns 157,000+ people of data breach that leaked SSNs, finances How to watch UFC 328 (Chimaev vs Strickland) from anywhere Cybercriminals say they hacked Winona County, MN (again) Keeper vs 1Password: Which password manager is best in 2026? What is F-Droid? Is it safe? Proton VPN Secure Core: What is it, and should you use it? What is an agentic browser? Features and how to use them safely Sandhills Medical Foundation warns patients of data breach Cybercriminals say they hacked Massachusetts Development Finance Agency, its second breach in 2 years STELIA Aerospace confirms cyber attack on North American systems. $2.07 million ransom issued Debt collector Rodenburg Law Firm warns 81,307 people of data breach Healthcare ransomware roundup: Q1 2026 stats on attacks, ransoms, and data breaches How to block ads on Paramount Plus A complete guide to smart speaker privacy What is the Great Firewall of China Cybercriminals say they hacked Rusk County, WI What is a decentralized VPN? Do you need a dVPN? Southern Illinois Dermatology warns patients of data breach that leaked SSNs 92,000 people notified of data breach following cyber attack at Puerto Rican hospital Cybercriminals say they hacked Minidoka Memorial Hospital, demand ransom What is sensitive data? Types and how to protect yourself Inside RAMP: What a leaked database reveals about Russia’s ransomware marketplace What is a passphrase? Are they safer than passwords? Phoenix Art Museum warns of data breach that leaked SSNs Mozilla VPN vs NordVPN – VPN Comparison Guide Cookeville Regional Medical Center warns 338,000 people of data breach Antimalware vs Antivirus: What’s the difference? What is URL phishing? Examples and how to stay safe How to use a VPN in Bhutan (and the best options) Cybercriminals give Brockton, MA hospital one week to pay ransom after hack Is Truth Social safe? Everything you need to know What is cyberwarfare? Medical implant maker TriMed warns 80,000+ people of data breach Ransomware roundup: Q1 2026 Heart South Cardiovascular Group warns 46,000+ people of data breach Cybercriminals say they hacked Community College of Beaver County Critical Infrastructure at Risk: 179 ICS Devices Exposed Online
Are UK council websites adhering to government security guidelines? - Comparitech
Justin Schamotta · 2026-06-23 · via Comparitech

Are UK council websites adhering to government security guidelines_

Our analysis of 373 UK council websites found that, despite government guidance, just one in three councils implemented a Content Security Policy (CSP).

A CSP helps protect websites against cross-site scripting (XSS) and code injection attacks. XSS was listed as the most dangerous software weakness by the CWE in 2025, and is frequently exploited – sometimes leading to massive data breaches.

Of the 128 councils (34.3%) that did deploy a CSP, only 75 (20.1% of all councils analysed) were classified as having a strong policy.

We also looked at how councils compared in their use of other government-recommended browser-hardening controls and transport security.

Overall, our findings suggest that while councils have largely adopted modern encryption standards, many have yet to implement some of the browser-side security controls recommended as part of a modern web security strategy.

More than three-fifths of councils do not deploy a Content Security Policy

A CSP is a browser security mechanism that restricts which scripts, styles, and other resources a website can load. When implemented correctly, it can help mitigate some forms of cross-site scripting and code injection attacks. Nevertheless, CSP adoption among UK councils remains relatively low.

Of the 373 websites successfully analysed:

  • 128 councils (34.3%) deployed a CSP
  • 238 councils (63.8%) had no CSP
  • 7 councils used a report-only policy that monitored violations without enforcing restrictions

Among councils that deployed CSP, just 75 (20.1%) had what we classified as a strong implementation that would instruct the browser to trust only specific sources of content and to reject anything unexpected. Twenty-one councils (5.6%) had what we classified as moderate CSP implementation, which meant they had at least one significant omission.

A quarter of all deployed CSPs (32 out of 128) were classified as weak, often due to the inclusion of directives such as unsafe-inline and unsafe-eval. The former permits the execution of inline JavaScript within the page, while the latter allows the execution of dynamically generated code from strings. Guidance from OWASP recommends avoiding these directives wherever possible.

In practice, their use significantly weakens the protections CSP is intended to provide. Where a cross-site scripting (XSS) vulnerability exists – for example in a search field, contact form, or URL parameter – an attacker may be able to inject malicious scripts that create credential-harvesting login forms, steal session cookies, or covertly redirect users to phishing pages.

Other modern security controls are also uncommon

We found similarly low adoption rates for several other modern security mechanisms.

Just over 13% (49 out of 373) published a security.txt file, a standard mechanism that allows security researchers to report vulnerabilities responsibly.

Sixty-one councils (16.4%) implemented a Permissions-Policy header, which can be used to restrict access to potentially sensitive browser features such as cameras, microphones, and geolocation APIs.

The relatively low adoption of these controls suggests many councils might be prioritising basic website functionality and encryption over more advanced browser hardening measures.

On a more positive note, 78.8% of council websites used HTTP Strict Transport Security (HSTS). HSTS instructs browsers to use HTTPS exclusively, even if a user attempts to access the site over HTTP. This prevents data from being transmitted in plain text, reducing the risk of it being intercepted by a malicious third party.

X-Frame-Options was implemented at a similar rate, present on 79.1% of council sites. This header controls whether a webpage can be embedded inside an <iframe> on another site. Its presence helps defend against clickjacking, a technique in which a malicious site overlays hidden or disguised elements over a legitimate page to trick users into clicking something they did not intend.

Councils perform much better on encryption

While browser-side protections showed significant gaps, the results were considerably more positive when it came to transport security. Well-configured Transport Layer Security (TLS) helps protect communications between users and websites from eavesdropping and tampering.

None of the council websites analysed supported the deprecated TLS 1.0 or TLS 1.1 protocols, both of which have been considered insecure for years.

Meanwhile:

  • 372 councils (99.7%) supported TLS 1.2
  • 307 councils (82.3%) supported TLS 1.3
  • 294 councils (78.8%) deployed HTTP Strict Transport Security (HSTS)
  • No expired TLS certificates were identified during testing

HSTS helps prevent users from being downgraded to unencrypted HTTP connections and is widely regarded as an important defense against protocol downgrade and SSL stripping attacks.

These findings indicate that councils have largely modernised the cryptographic foundations of their websites and have removed support for outdated encryption standards. Support for TLS 1.3 is particularly important because current efforts to standardise post-quantum cryptography for web communications are focused on TLS 1.3.

What do the results mean?

The overall picture is one of uneven progress. UK councils appear to have made substantial progress in securing data in transit. Modern TLS adoption is widespread, certificate management appears strong, and support for obsolete protocols has effectively disappeared.

However, many councils have not adopted the browser-side security controls that can help limit the impact of common web attacks. More than three-fifths of councils did not deploy CSP, fewer than one in six used Permissions-Policy, and fewer than one in eight published a security.txt file.

While the absence of these controls does not necessarily mean a website is vulnerable, they are widely regarded as security best practices and are commonly recommended by government agencies as part of a defense-in-depth approach to web security.

Councils are frequent targets of cyberattacks. They carry out several essential services such as housing and social care, while also holding personal information about residents. In recent years, councils in London, Leicestershire, and Wales have all experienced disruptive attacks.

Methodology

We attempted to analyse 379 UK council websites using URLs available at https://www.baseview.uk/listable/councils. There was a discrepancy between the total number of councils (382) and the number of websites (379), due to three websites covering two councils each. Six council sites closed the connection before we were able to negotiate a TLS session, meaning we were unable to assess them. Successful analysis was completed on 373 websites.

For each website, we recorded the negotiated TLS version, support for TLS 1.2 and TLS 1.3, certificate status, and the presence of common HTTP security headers, including HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Note that we only checked the homepage of each site. It’s possible that the security headers varied across applications and subdomains.

Content Security Policies were scored out of 10 and classified as strong (8 to 10), moderate (5 to 7), or weak (0 to 4). We used a scoring methodology based on recognized CSP best practices and common misconfigurations. Each website started with a score that was capped at 10, with sites losing points for bad practices and regaining them for good ones.