Our analysis of 373 UK council websites found that, despite government guidance, just one in three councils implemented a Content Security Policy (CSP).
A CSP helps protect websites against cross-site scripting (XSS) and code injection attacks. XSS was listed as the most dangerous software weakness by the CWE in 2025, and is frequently exploited – sometimes leading to massive data breaches.
Of the 128 councils (34.3%) that did deploy a CSP, only 75 (20.1% of all councils analysed) were classified as having a strong policy.
We also looked at how councils compared in their use of other government-recommended browser-hardening controls and transport security.
Overall, our findings suggest that while councils have largely adopted modern encryption standards, many have yet to implement some of the browser-side security controls recommended as part of a modern web security strategy.
More than three-fifths of councils do not deploy a Content Security Policy
A CSP is a browser security mechanism that restricts which scripts, styles, and other resources a website can load. When implemented correctly, it can help mitigate some forms of cross-site scripting and code injection attacks. Nevertheless, CSP adoption among UK councils remains relatively low.
Of the 373 websites successfully analysed:
- 128 councils (34.3%) deployed a CSP
- 238 councils (63.8%) had no CSP
- 7 councils used a report-only policy that monitored violations without enforcing restrictions
Among councils that deployed CSP, just 75 (20.1%) had what we classified as a strong implementation that would instruct the browser to trust only specific sources of content and to reject anything unexpected. Twenty-one councils (5.6%) had what we classified as moderate CSP implementation, which meant they had at least one significant omission.
A quarter of all deployed CSPs (32 out of 128) were classified as weak, often due to the inclusion of directives such as unsafe-inline and unsafe-eval. The former permits the execution of inline JavaScript within the page, while the latter allows the execution of dynamically generated code from strings. Guidance from OWASP recommends avoiding these directives wherever possible.
In practice, their use significantly weakens the protections CSP is intended to provide. Where a cross-site scripting (XSS) vulnerability exists – for example in a search field, contact form, or URL parameter – an attacker may be able to inject malicious scripts that create credential-harvesting login forms, steal session cookies, or covertly redirect users to phishing pages.
Other modern security controls are also uncommon
We found similarly low adoption rates for several other modern security mechanisms.
Just over 13% (49 out of 373) published a security.txt file, a standard mechanism that allows security researchers to report vulnerabilities responsibly.
Sixty-one councils (16.4%) implemented a Permissions-Policy header, which can be used to restrict access to potentially sensitive browser features such as cameras, microphones, and geolocation APIs.
The relatively low adoption of these controls suggests many councils might be prioritising basic website functionality and encryption over more advanced browser hardening measures.
On a more positive note, 78.8% of council websites used HTTP Strict Transport Security (HSTS). HSTS instructs browsers to use HTTPS exclusively, even if a user attempts to access the site over HTTP. This prevents data from being transmitted in plain text, reducing the risk of it being intercepted by a malicious third party.
X-Frame-Options was implemented at a similar rate, present on 79.1% of council sites. This header controls whether a webpage can be embedded inside an <iframe> on another site. Its presence helps defend against clickjacking, a technique in which a malicious site overlays hidden or disguised elements over a legitimate page to trick users into clicking something they did not intend.
Councils perform much better on encryption
While browser-side protections showed significant gaps, the results were considerably more positive when it came to transport security. Well-configured Transport Layer Security (TLS) helps protect communications between users and websites from eavesdropping and tampering.
None of the council websites analysed supported the deprecated TLS 1.0 or TLS 1.1 protocols, both of which have been considered insecure for years.
Meanwhile:
- 372 councils (99.7%) supported TLS 1.2
- 307 councils (82.3%) supported TLS 1.3
- 294 councils (78.8%) deployed HTTP Strict Transport Security (HSTS)
- No expired TLS certificates were identified during testing
HSTS helps prevent users from being downgraded to unencrypted HTTP connections and is widely regarded as an important defense against protocol downgrade and SSL stripping attacks.
These findings indicate that councils have largely modernised the cryptographic foundations of their websites and have removed support for outdated encryption standards. Support for TLS 1.3 is particularly important because current efforts to standardise post-quantum cryptography for web communications are focused on TLS 1.3.
What do the results mean?
The overall picture is one of uneven progress. UK councils appear to have made substantial progress in securing data in transit. Modern TLS adoption is widespread, certificate management appears strong, and support for obsolete protocols has effectively disappeared.
However, many councils have not adopted the browser-side security controls that can help limit the impact of common web attacks. More than three-fifths of councils did not deploy CSP, fewer than one in six used Permissions-Policy, and fewer than one in eight published a security.txt file.
While the absence of these controls does not necessarily mean a website is vulnerable, they are widely regarded as security best practices and are commonly recommended by government agencies as part of a defense-in-depth approach to web security.
Councils are frequent targets of cyberattacks. They carry out several essential services such as housing and social care, while also holding personal information about residents. In recent years, councils in London, Leicestershire, and Wales have all experienced disruptive attacks.
Methodology
We attempted to analyse 379 UK council websites using URLs available at https://www.baseview.uk/listable/councils. There was a discrepancy between the total number of councils (382) and the number of websites (379), due to three websites covering two councils each. Six council sites closed the connection before we were able to negotiate a TLS session, meaning we were unable to assess them. Successful analysis was completed on 373 websites.
For each website, we recorded the negotiated TLS version, support for TLS 1.2 and TLS 1.3, certificate status, and the presence of common HTTP security headers, including HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Note that we only checked the homepage of each site. It’s possible that the security headers varied across applications and subdomains.
Content Security Policies were scored out of 10 and classified as strong (8 to 10), moderate (5 to 7), or weak (0 to 4). We used a scoring methodology based on recognized CSP best practices and common misconfigurations. Each website started with a score that was capped at 10, with sites losing points for bad practices and regaining them for good ones.