Zero of 17 Show HN launches have Content-Security-Policy

The setup

Every morning between April 18 and April 20 2026 our scanner pulled the last 24 hours of Show HN front-page posts and ran a passive security audit against each launch URL. Seventeen sites in total. No login attempts, no active exploitation — just the headers, TLS config, cookies, exposed files, and obvious information disclosure.

One finding stood out hard enough to be the title of this post: zero launches shipped with a Content-Security-Policy header. Not one. Not even a permissive one.

Sample and limits

Seventeen launches is small. Show HN is a self-selected population (early-stage, often first-launch founders). Treat this as a useful pattern, not a population study.

The numbers

The five mistakes that account for 80% of the damage

We reviewed the full findings. Five patterns repeat across almost every failing launch.

1. No Content-Security-Policy (CSP)

Present on 0 of 17 sites. Zero. CSP is the single most effective XSS mitigation in a browser and nobody is shipping it on launch day.

The irony: if you're on Vercel or Railway with Next.js 14+, you need about eight lines in middleware.ts to add a working CSP. Vercel even ships a documented pattern for it.

2. Missing HSTS (Strict-Transport-Security)

Present on 3 of 17 sites. This is the header that forces browsers to refuse HTTP downgrade attacks. Missing HSTS means an attacker on the same Wi-Fi as your visitor can strip TLS and MITM the session.

One line: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.

3. Server header leaks exact versions

Present on 11 of 17 sites. Server: nginx/1.18.0 or X-Powered-By: Express hands attackers a CVE lookup cheat sheet. This is a one-line nginx config or app.disable('x-powered-by') in Express.

4. Cookies without HttpOnly / Secure / SameSite

Present as an issue on 9 of 17 sites. The worst offenders were session cookies (auth tokens) set without HttpOnly — meaning any injected JavaScript can read the session. For most frameworks this is a default if you configure the cookie properly; the fact that it keeps happening means people are using ad-hoc cookies without thinking.

5. Exposed `.env` / `.git` / `.DS_Store`

Three launches served a .env file directly. One served a .git directory. This is the kind of thing where a bot finds you before you finish your Show HN comments.

If you're on Vercel, Railway, or Fly you're probably fine by default — this happens most on self-hosted Nginx setups where someone copied a config from Stack Overflow.

The outlier

Only one launch we scanned scored above 85, and every single launch that scored below 30 had all five of the mistakes above.

The difference wasn't the framework. We saw well-scored launches on Next.js, Go, Django, Rails. The difference was someone on the team cared about security headers the day they shipped.

The five-minute launch checklist

Before you post to Show HN:

1. Scan your launch URL with any scanner — ours is free and takes 18 seconds. Mozilla Observatory is also free.

2. Add a basic CSP. Even a strict one you'll relax later is better than none.

3. Add HSTS. One line.

4. Kill the Server / X-Powered-By header.

5. Check your cookies have HttpOnly, Secure, and SameSite=Lax.

That's it. Most of these are five-minute fixes. Most launches we scan would jump from a D to a B by doing just these five.

Why we're publishing this

We run ScanMyVibe and we scan Show HN every morning as a reliability test for our scanner — if it can find real-world issues on real launches, it works. Normally we keep the results to ourselves. This week the pattern was strong enough to share.

We didn't name specific sites. Every founder we scanned is doing something harder than writing yet another security blog post, and getting bug-bounty-roasted in a Show HN comment isn't useful.

What is useful: if you are about to launch, take eight minutes to fix the five things above. It'll save you an embarrassing top comment, and it'll save someone else a credential compromise.

The data

Sample: 17 Show HN launches audited April 18–20 2026. Method: passive scan of launch URL only, no active testing. Scanner used. Aggregate data only — we're not publishing a list of scored sites.