We scanned the Cloudflare Top 1000 — here's what we found

In April 2026 we ran an automated Basic scan against the Cloudflare Radar Top 1000 domains — the most popular sites on the internet by direct DNS query volume. 999 returned a complete result (one timed out and was excluded). Below is what the data says, not what we wished it said.

Score distribution

The mean score across the 999 successful scans is 68.7 / 100 — a low C. Median is similar. Spread:

*Numbers above 1000 because we re-scanned the same domains across runs. Distribution roughly: A 39%, B 22%, C 18%, D 14%, F 7%.

Reading: only 41.6% of the world's most popular domains earn an A or better when graded against PCI-DSS 4.0 / ANSSI / RFC 8996 (the strict bar we use, see our methodology article). About 7% are strictly broken — failing on multiple critical findings.

The top 5 are not who you'd expect

Apple's Chinese iCloud mirror beating Stripe is the kind of result that makes you triple-check the methodology. We did. The reason: icloud.com.cn serves a minimal landing page (no JS, no ads, no analytics, no third-party widgets) so the WEB category gets only one or two LOW findings. stripe.network is also a minimal landing but ships a few non-trivial scripts. Fontawesome is a CDN — flat surface, easy to score high on.

cloudflare.com at 83 is interesting: their own dogfooding scores B, not A+. The drag is the same TLS 1.0/1.1 enablement we documented in the Google article. Cloudflare publicly markets WAF + DDoS protection but their own apex still negotiates TLS 1.0. Compatibility over compliance, again.

The bottom 5: Big Tech is not safe

A surprising chunk of the bottom-50 belongs to Meta and Chinese Big Tech. Reasons differ:

• Meta properties (instagram.com, fbsbx.com, fbcdn.net) — DNS records pointing to IPs flagged by AbuseIPDB / Spamhaus due to their ads infrastructure activity. A massive surface attracts bot traffic, which gets reported.
• Baidu — TLS 1.0/1.1 enabled (Chinese mainland clients still ship antique TLS), aggressive cookie tracking without flags, no security.txt, no DMARC.
• no-ip.com — dynamic DNS provider, multiple critical findings stemming from how their service routes traffic. Their core product means they're flagged by reputation feeds for hosting malware C2.

Most common CRITICAL findings (across all 5 200+ Basic scans we've run)

1. 1 500 — dns.ip_on_reputation_list: domain's IP appears on AbuseIPDB / Spamhaus / Barracuda. (See our reputation feed analysis.)
2. 1 058 — tls.legacy_protocol_enabled: TLS 1.0 or 1.1 still negotiable.
3. 127 — web.shodan_cve_exposure: Shodan reports a known CVE on the IP.
4. 19 — tls.weak_cipher_suite: 3DES, RC4, or other cipher in the "weak" PCI list.
5. 6 — web.leak.wp_config_bak: a wp-config.php.bak served at root. WordPress credentials in cleartext.

Detail in our dedicated post.

What it tells us

• Compliance ≠ popularity. Being in the Top 10 of a country doesn't mean your security posture is up to PCI-DSS or ANSSI standards.
• The TLS 1.0 problem is endemic. 1058 domains in our dataset still have it enabled. Most of them serve real production traffic.
• Reputation feed listings are the silent killer. 1500 critical findings on this single slug — most operators don't realise they're listed until they get blackholed by a major mail provider.
• Big Tech isn't a benchmark. Pretty much every audited Meta property scores below 50. Don't model your security posture on theirs.

What does YOUR domain score?

Free Basic scan, no signup needed for unverified domains. Median time-to-result is around 60 seconds. If you get a C or worse, our remediation walkthrough shows how to climb to A in about two hours of work.