FIFA World Cup 2026 Stadium Security Scan
We scanned all 16 official FIFA World Cup 2026 stadium websites for security misconfigurations. See the full grades, findings and results here.
The FIFA World Cup 2026 is underway across 16 stadiums in the United States, Canada and Mexico. We ran a FIFA World Cup 2026 stadium security scan on the official website for each host venue to see how their security posture holds up. Here is what we found.
What’s covered
- Why we ran a FIFA World Cup 2026 stadium security scan
- Methodology
- Full results table
- Key findings
- Why CSP is the hardest header to get right
- What this means if you manage a high-traffic site
- Scan your own site
Why we ran a FIFA World Cup 2026 stadium security scan
Large public events draw large amounts of traffic to sites that do not always get the same security attention as the event itself. Stadium and venue websites during a global tournament are a good real-world test case: high visibility, high traffic, built by different teams on different platforms, with no shared baseline of what “secure” looks like.
We wanted a live, neutral data set to see how a representative slice of high-profile, high-traffic sites actually score against common misconfigurations, the same categories Guardr checks on every scan.
Methodology
We scanned the official website for each of the 16 confirmed FIFA World Cup 2026 host venues using Guardr’s public scanner. Each scan checks:
- TLS/SSL configuration
- Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
- Cookie security
- DNS hardening (DNSSEC, CAA)
- Exposed paths (.git, .env, and similar)
- JS bundle secrets
Each site receives an A–F grade and a numeric score out of 100. Scans were run on July 3, 2026 and reflect a single point-in-time snapshot. Sites can and do change their configuration over time.
Full results table
| Venue | City | Grade | Score | Notable Finding |
|---|---|---|---|---|
| MetLife Stadium | East Rutherford, NJ | A | 90 | Strong HSTS, CSP missing default-src/script-src |
| AT&T Stadium | Dallas, TX | C- | 55 | No HSTS, X-Frame-Options missing |
| SoFi Stadium | Los Angeles, CA | C | 62 | No HSTS, no CSP at all |
| Lumen Field | Seattle, WA | A- | 85 | Good HSTS, missing includeSubDomains |
| Mercedes-Benz Stadium | Atlanta, GA | B- | 71 | No HSTS, CSP weak |
| NRG Park | Houston, TX | D | 54 | Headers score 0 |
| Kansas City World Cup site | Kansas City, MO | D | 54 | Headers score 2, only a weak Permissions-Policy present |
| Hard Rock Stadium | Miami, FL | D | 47 | Session cookie missing Secure, HttpOnly and SameSite |
| Lincoln Financial Field | Philadelphia, PA | B+ | 80 | Only site with DNSSEC enabled; no CSP |
| Levi’s Stadium | Santa Clara, CA | C | 62 | Headers score 0 |
| Gillette Stadium | Foxborough, MA | A- | 85 | Best Permissions-Policy in the set; no CSP |
| BC Place | Vancouver, Canada | B- | 72 | HSTS max-age only 5 minutes; no CSP, no X-Frame-Options |
| BMO Field | Toronto, Canada | A- | 86 | Strong HSTS + headers; no CSP |
| Estadio Banorte (formerly Azteca) | Mexico City, Mexico | B+ | 80 | CSP present but uses unsafe-inline and unsafe-eval |
| Estadio Akron | Guadalajara, Mexico | C | 62 | Headers score 0 |
| Estadio BBVA | Monterrey, Mexico | A- | 85 | Good HSTS, CSP weak |
Key findings
CSP is the universal gap
Every single one of the 16 sites scored weak or missing on Content-Security-Policy. Six sites had no CSP at all. The rest had a policy limited to frame-ancestors 'self', which blocks clickjacking but does nothing to limit script execution, the primary purpose of CSP. Not one site in the entire set had a policy that actually restricts script-src.
HSTS is a coin flip
Nine of the 16 sites either had no HSTS header or a configuration weak enough to flag (short max-age, missing includeSubDomains). BC Place’s HSTS max-age was set to 5 minutes, offering almost no protection window between visits. Six sites had strong, correctly configured HSTS, showing the fix is well understood, just not consistently applied.
Hard Rock Stadium had the highest-risk finding in the set
Miami’s Hard Rock Stadium was the only site flagging a high-severity cookie issue rather than a missing header. Its session cookie (PHPSESSID) was set without Secure, HttpOnly or SameSite, all three at once. That combination means the cookie can leak over an unencrypted connection and remain readable by any script on the page, a materially different risk profile than a missing security header.
The World Cup host microsite scored worse than most of the arenas themselves
Kansas City’s designated tournament site (kansascityfwc26.com) scored a D, tied for the lowest grade in the set, with a headers score of just 2 out of 100. Purpose-built event microsites are not automatically better configured than the venues that have run for years.
Lincoln Financial Field is the only site with DNSSEC enabled
Out of all 16 domains, exactly one had DNSSEC configured. DNS spoofing protection remains rare even among high-traffic, high-profile sites, consistent with what Guardr sees across the wider web.
Why CSP is the hardest header to get right
CSP came up short on all 16 sites and that pattern is not unique to this data set. Unlike HSTS, which is close to a one-line fix, a working CSP has to enumerate every script, style, font and iframe source a site actually loads. Get it wrong and you break the site. Skip it and it never gets added at all, which is exactly what most of the scanned sites did.
For a full walkthrough of what CSP protects against and how to deploy it safely with report-only mode, see our guide on how to fix a missing CSP header.
What this means if you manage a high-traffic site
A high-profile site is not automatically a well-configured one. Traffic volume and security posture are unrelated unless someone is actively monitoring for misconfigurations. The same gaps we found here (missing CSP, weak HSTS, unprotected cookies) show up just as often on client sites managed by freelancers and agencies. They are common, fixable and easy to miss without a recurring scan.
Scan your own site
Curious how your own site or your clients’ sites compare? Scan for free at guardr.io and see your grade, findings and fix instructions in under a minute.
See the full scoring breakdown in the Guardr methodology.