FIFA World Cup 2026 Stadium Security Scan

We scanned all 16 official FIFA World Cup 2026 stadium websites for security misconfigurations. See the full grades, findings and results here.

security-scanfifa-world-cup-2026web-securitycase-studystadiums

The FIFA World Cup 2026 is underway across 16 stadiums in the United States, Canada and Mexico. We ran a FIFA World Cup 2026 stadium security scan on the official website for each host venue to see how their security posture holds up. Here is what we found.


What’s covered


Why we ran a FIFA World Cup 2026 stadium security scan

Large public events draw large amounts of traffic to sites that do not always get the same security attention as the event itself. Stadium and venue websites during a global tournament are a good real-world test case: high visibility, high traffic, built by different teams on different platforms, with no shared baseline of what “secure” looks like.

We wanted a live, neutral data set to see how a representative slice of high-profile, high-traffic sites actually score against common misconfigurations, the same categories Guardr checks on every scan.


Methodology

We scanned the official website for each of the 16 confirmed FIFA World Cup 2026 host venues using Guardr’s public scanner. Each scan checks:

  • TLS/SSL configuration
  • Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
  • Cookie security
  • DNS hardening (DNSSEC, CAA)
  • Exposed paths (.git, .env, and similar)
  • JS bundle secrets

Each site receives an A–F grade and a numeric score out of 100. Scans were run on July 3, 2026 and reflect a single point-in-time snapshot. Sites can and do change their configuration over time.


Full results table

VenueCityGradeScoreNotable Finding
MetLife StadiumEast Rutherford, NJA90Strong HSTS, CSP missing default-src/script-src
AT&T StadiumDallas, TXC-55No HSTS, X-Frame-Options missing
SoFi StadiumLos Angeles, CAC62No HSTS, no CSP at all
Lumen FieldSeattle, WAA-85Good HSTS, missing includeSubDomains
Mercedes-Benz StadiumAtlanta, GAB-71No HSTS, CSP weak
NRG ParkHouston, TXD54Headers score 0
Kansas City World Cup siteKansas City, MOD54Headers score 2, only a weak Permissions-Policy present
Hard Rock StadiumMiami, FLD47Session cookie missing Secure, HttpOnly and SameSite
Lincoln Financial FieldPhiladelphia, PAB+80Only site with DNSSEC enabled; no CSP
Levi’s StadiumSanta Clara, CAC62Headers score 0
Gillette StadiumFoxborough, MAA-85Best Permissions-Policy in the set; no CSP
BC PlaceVancouver, CanadaB-72HSTS max-age only 5 minutes; no CSP, no X-Frame-Options
BMO FieldToronto, CanadaA-86Strong HSTS + headers; no CSP
Estadio Banorte (formerly Azteca)Mexico City, MexicoB+80CSP present but uses unsafe-inline and unsafe-eval
Estadio AkronGuadalajara, MexicoC62Headers score 0
Estadio BBVAMonterrey, MexicoA-85Good HSTS, CSP weak

Key findings

CSP is the universal gap

Every single one of the 16 sites scored weak or missing on Content-Security-Policy. Six sites had no CSP at all. The rest had a policy limited to frame-ancestors 'self', which blocks clickjacking but does nothing to limit script execution, the primary purpose of CSP. Not one site in the entire set had a policy that actually restricts script-src.

HSTS is a coin flip

Nine of the 16 sites either had no HSTS header or a configuration weak enough to flag (short max-age, missing includeSubDomains). BC Place’s HSTS max-age was set to 5 minutes, offering almost no protection window between visits. Six sites had strong, correctly configured HSTS, showing the fix is well understood, just not consistently applied.

Hard Rock Stadium had the highest-risk finding in the set

Miami’s Hard Rock Stadium was the only site flagging a high-severity cookie issue rather than a missing header. Its session cookie (PHPSESSID) was set without Secure, HttpOnly or SameSite, all three at once. That combination means the cookie can leak over an unencrypted connection and remain readable by any script on the page, a materially different risk profile than a missing security header.

The World Cup host microsite scored worse than most of the arenas themselves

Kansas City’s designated tournament site (kansascityfwc26.com) scored a D, tied for the lowest grade in the set, with a headers score of just 2 out of 100. Purpose-built event microsites are not automatically better configured than the venues that have run for years.

Lincoln Financial Field is the only site with DNSSEC enabled

Out of all 16 domains, exactly one had DNSSEC configured. DNS spoofing protection remains rare even among high-traffic, high-profile sites, consistent with what Guardr sees across the wider web.


Why CSP is the hardest header to get right

CSP came up short on all 16 sites and that pattern is not unique to this data set. Unlike HSTS, which is close to a one-line fix, a working CSP has to enumerate every script, style, font and iframe source a site actually loads. Get it wrong and you break the site. Skip it and it never gets added at all, which is exactly what most of the scanned sites did.

For a full walkthrough of what CSP protects against and how to deploy it safely with report-only mode, see our guide on how to fix a missing CSP header.


What this means if you manage a high-traffic site

A high-profile site is not automatically a well-configured one. Traffic volume and security posture are unrelated unless someone is actively monitoring for misconfigurations. The same gaps we found here (missing CSP, weak HSTS, unprotected cookies) show up just as often on client sites managed by freelancers and agencies. They are common, fixable and easy to miss without a recurring scan.


Scan your own site

Curious how your own site or your clients’ sites compare? Scan for free at guardr.io and see your grade, findings and fix instructions in under a minute.


See the full scoring breakdown in the Guardr methodology.

Check your website's security score

Free scan — no signup required.

Scan your site →