We Scanned 10 Shopify Agency Websites. Here Is What We Found.
A security posture audit of 10 leading Shopify agency websites — grades, patterns and what the top scorer gets right that the others do not.
Web agencies sell their clients on professionalism, technical rigour and attention to detail. So we decided to check whether the same standards apply to the agencies themselves.
We scanned the public-facing websites of 10 leading Shopify and Shopify Plus agencies using Guardr — checking security headers, TLS configuration, cookie security, DNS hardening and exposure paths. Every scan was external-only, no credentials, no access beyond what a browser sees. The results were graded A through F.
The short version: one agency scored an A. Three scored C- or below. The most common finding appeared on 9 of 10 sites.
What’s covered
- Methodology
- Results
- Per-agency breakdown
- Pattern analysis
- What the top score gets right
- What to do if your agency site looks like the bottom of this table
Methodology
Guardr scans each domain from the outside, the same way a browser or an attacker would. It checks five categories:
- TLS — HTTPS enforcement, HSTS presence and max-age, redirect chain
- Security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy
- Cookies — Secure flag, HttpOnly flag, SameSite attribute on session cookies
- DNS — DNSSEC and CAA records
- Exposure — sensitive paths such as
.env,.git/HEADandphpinfo.php
Each category carries a weighted score. The overall grade (A–F) reflects the combined result. All scans were run on 23 June 2026 against each agency’s primary marketing domain.
This audit covers the agencies’ own websites — not the client stores they build. An agency’s own site is a reasonable proxy for how seriously security posture is treated internally, but it is not a direct reflection of the work they deliver to clients.
Results
| Agency | Domain | Score | Grade |
|---|---|---|---|
| 1Digital Agency | 1digitalagency.com | 94 | A |
| Acidgreen | acidgreen.com.au | 77 | B |
| 30 Acres | 30acres.com.au | 76 | B |
| Fourmeta | fourmeta.com | 76 | B |
| Blend Commerce | blendcommerce.com | 76 | B |
| Elkfox | elkfox.com | 76 | B |
| Charle Agency | charleagency.com | 62 | C |
| Fyresite | fyresite.com | 62 | C |
| Eastside Co | eastsideco.com | 58 | C- |
| Swanky Agency | swankyagency.com | 55 | C- |
| Blubolt | blubolt.com | 54 | D |
Per-agency breakdown
1Digital Agency — A (94)
The only agency in this set to reach an A. HSTS is present with a two-year max-age, X-Content-Type-Options and Referrer-Policy are both set correctly and a Permissions-Policy restricts camera, microphone and geolocation. The site uses CSP frame-ancestors in place of X-Frame-Options — the modern approach, scored accordingly. The only remaining gap is that HSTS does not include includeSubDomains, a minor miss at this level.
Acidgreen — B (77)
The highest-scoring Australian agency in the set. HSTS is present with a two-year max-age, includeSubDomains and preload — a strong configuration. The gap is the security headers layer: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are all absent. Strong TLS, incomplete headers. Worth noting that Acidgreen is a multi-platform agency (Shopify Plus, Adobe Commerce, Magento) rather than a Shopify-only shop.
30 Acres — B (76)
A Shopify Plus Partner agency based in Byron Bay, Australia and a certified B Corp. Their agency site runs on Shopify itself, which is the source of the platform-default CSP pattern here: block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests — present but missing default-src and script-src. HSTS is present, X-Frame-Options is set to DENY and X-Content-Type-Options is set to nosniff. Referrer-Policy and Permissions-Policy are absent. A protocol-relative Shopify CDN script is also flagged.
Fourmeta — B (76)
HSTS is set to one year but is missing includeSubDomains — a quick fix. All five security headers are absent. Exposure paths are cleanly blocked with 403 responses, which is handled correctly. The gap is almost entirely in the headers layer.
Blend Commerce — B (76)
The same Shopify-default CSP pattern as 30 Acres and Elkfox — block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests — indicating the Shopify platform provides a baseline CSP that is not extended further. HSTS is present but with a 91-day max-age, below the recommended one year. A protocol-relative Shopify CDN script and missing Referrer-Policy and Permissions-Policy round out the findings.
Elkfox — B (76) Identical score and near-identical profile to Blend Commerce. Both run on Shopify and both inherit the same platform-default CSP. HSTS is present but short. X-Frame-Options is set to DENY and X-Content-Type-Options is correct. Referrer-Policy is missing. The pattern here is clearly the Shopify platform baseline rather than deliberate misconfiguration.
Charle Agency — C (62) HSTS is entirely absent despite serving over HTTPS — the site redirects from HTTP correctly but does not tell browsers to remember the preference. All five security headers are missing. Charle is a Shopify Plus accredited agency with a strong client portfolio; the gap on their own site is notable.
Fyresite — C (62) Same profile as Charle: HSTS missing and all five security headers absent. Fyresite is a Shopify Premier Partner — one of 46 in the US — which makes the baseline header configuration on their own site unexpected. Exposure paths are cleanly handled with 403 responses.
Eastside Co — C- (58)
The most distinctive finding in this set. The site sets an authentication session cookie (october_session) without the Secure flag and without SameSite. A session cookie without the Secure flag can leak over unencrypted connections. HSTS is also missing, which compounds the cookie issue — without HSTS enforcing HTTPS, HTTP connections remain possible and the session cookie would be transmitted in the clear. CSP is absent. X-Frame-Options and X-Content-Type-Options are both present.
Swanky Agency — C- (55) DNSSEC is enabled — the only agency in this set to have it — which is a genuine differentiator. However, HSTS is entirely missing, all five security headers are absent and two protocol-relative third-party scripts (ShareThis and HubSpot) are loading without explicit HTTPS. The combination of missing HSTS and protocol-relative scripts is inconsistent for an agency that has otherwise invested in DNS hardening.
Blubolt — D (54) The lowest score in the set. HSTS is missing, all five security headers are absent and three HubSpot embed scripts are loading via protocol-relative URLs rather than explicit HTTPS. Blubolt is a Shopify Premier Partner with a strong client track record; the finding is a configuration gap on the agency’s own marketing site, not a reflection of what they deliver for clients.
Pattern analysis
What every agency in this set shares
No agency in this audit has CAA records set. Only one — Swanky — has DNSSEC enabled. Neither is unusual at this level, but the uniformity across all 10 sites is worth noting.
The Shopify platform baseline
Three agencies in this set run their own website on Shopify: 30 Acres, Blend Commerce and Elkfox. All three score 76 and all three share the same CSP profile: block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests. This is a Shopify platform default. It provides some protection but is missing the default-src and script-src directives needed for meaningful XSS mitigation. Agencies building on Shopify should be aware that the platform provides a baseline CSP that is not the same as a properly configured one.
The HSTS split
Six of the 10 agencies have no HSTS set at all. Among the four that do, only one — Acidgreen — includes includeSubDomains and preload. The HSTS finding correlates almost directly with overall score: agencies with HSTS present all score B or above, agencies without it all score C or below.
Missing security headers are the norm
CSP is absent or weak on 9 of 10 sites. Referrer-Policy is absent on 9 of 10. Permissions-Policy is absent on 9 of 10. These are the three headers with the widest deployment gap in this group. X-Frame-Options and X-Content-Type-Options fare better among sites using the Shopify platform baseline, which sets frame-ancestors 'none' by default.
The session cookie finding
One agency — Eastside Co — has a session cookie without the Secure flag. This is the only finding in this audit that moves from a posture gap into a direct session security risk. Combined with missing HSTS, it is the most concrete finding across all 10 sites.
What the top score gets right
1Digital Agency’s A grade comes from stacking several correct decisions rather than excelling at any single thing.
HSTS with a long max-age. Two years (max-age=63072000) means returning visitors’ browsers enforce HTTPS for two years without needing to re-receive the header. Shorter max-ages — 91 days, as seen on Blend Commerce and Elkfox — reduce this window significantly.
Referrer-Policy set to strict-origin-when-cross-origin. The recommended value. It sends the full URL within the same origin but only the origin itself to external domains, limiting what third parties can see about where your visitors came from.
Permissions-Policy restricting camera, microphone and geolocation. Most sites in this audit omit this header entirely. Restricting browser features you do not use is a low-effort hardening step.
CSP frame-ancestors in place of X-Frame-Options. The modern standard. 1Digital Agency uses it correctly, allowing framing only from their own origin and a specific subdomain. Guardr treats frame-ancestors as covering clickjacking protection.
X-Content-Type-Options: nosniff. Prevents browsers from guessing content types from file contents — a one-liner that is still absent on most sites in this audit.
The gap between an A and most of the C grades here is not a large technical lift. It is primarily HSTS, three or four response headers and avoiding protocol-relative script URLs. Most of it can be addressed in an afternoon.
What to do if your agency site looks like the bottom of this table
Run a free scan at guardr.io to see your current grade and the specific findings for your domain.
The highest-priority fixes, in order:
- Enable HSTS — one header, significant score impact. Confirm your entire site works over HTTPS before setting it. A
max-ageof at least 31536000 (one year) is recommended. - Add X-Content-Type-Options: nosniff — two minutes of configuration, prevents MIME sniffing.
- Add Referrer-Policy: strict-origin-when-cross-origin — one line, protects user privacy and reduces data leakage to third-party scripts.
- Add X-Frame-Options: SAMEORIGIN — blocks clickjacking against your own site.
- Fix protocol-relative script URLs — change any
//cdn.example.com/script.jsreferences tohttps://cdn.example.com/script.js. - Add or strengthen CSP — the most complex step but the highest-impact. Start in report-only mode.
Each of these is covered in detail in the Guardr security headers guide.
Scans were run on 23 June 2026. Security posture changes over time — if you are one of the agencies listed and have shipped fixes since this was published, scan your site to see your current grade.