Skip to main content

On This Page

Every FIFA World Cup Stadium Site Fails Security Check — Guardr Finds Weak CSP and Cookie Flaws

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

FIFA World Cup 2026 Stadium Security Scan

Guardr scanned all 16 official stadium websites for the FIFA World Cup 2026 host venues. Every single site had a weak or missing Content-Security-Policy header, and half had HSTS problems.

Why This Matters

Key Insights

    • CSP weakness: Six of the 16 sites had no Content-Security-Policy at all; most others only set frame-ancestors ‘self’, which doesn’t control script execution (Guardr scan, July 3, 2026).
    • HSTS inconsistency: Nine sites had missing or weak HSTS; BC Place’s max-age was set to only five minutes (Guardr scan, July 3, 2026).
    • High-severity cookie risk: Hard Rock Stadium’s session cookie lacked Secure, HttpOnly and SameSite attributes simultaneously (Guardr scan, July 3, 2026).
    • Dedicated microsite worst performer: Kansas City’s official World Cup site tied for the lowest grade (D, score of 54) in the set (Guardr scan, July 3, 2026).
    • Rare DNSSEC adoption: Only Lincoln Financial Field had DNSSEC enabled across all scanned sites (Guardr scan, July 3, 2026).

Practical Applications

    • Use case: Guardr scanning high-profile event websites. Pitfall: Assuming high traffic implies robust security; reality shows basic misconfigurations persist.
    • Use case: Implementing a full Content-Security-Policy beyond frame-ancestors. Pitfall: Relying solely on Clickjacking protection while ignoring script injection risks.
    • Use case: Enforcing strict HSTS with appropriate max-age. Pitfall: Setting a low max-age like five minutes (BC Place) provides negligible protection against downgrade attacks.

References:

Continue reading

Next article

Related Content