We Audited 30 Open-Source Projects. The Median Score Was a C.
We Audited 30 Open-Source Projects. The Median Score Was a C.
We ran the Security Headers & Basics audit against 30 well-known open-source projects to seed our benchmark database. The results are public and available on the benchmarks page. Here's what we found.
The headline numbers
- Median score: 70 (C)
- Mean score: 68
- Top scores: Supabase Dashboard (93, A), Formbricks (92, A)
- Grade distribution: 2 A's, 8 B's, 10 C's, 8 D's, 2 F's
- 100% failure rate on one check (Permissions-Policy — nobody sets it)
The full results
| Project | Framework | Tier | Overall | Grade | |---------|-----------|------|---------|-------| | Supabase Dashboard | Next.js | Mature | 93 | A | | Formbricks | Next.js | Solid | 92 | A | | Dub | Next.js | Mature | 87 | B | | Cal.com | Next.js | Mature | 85 | B | | Plausible | Next.js | Mature | 84 | B | | Infisical | Next.js | Mature | 83 | B | | Directus | Vue | Mature | 82 | B | | Hoppscotch | Nuxt | Mature | 81 | B | | Medusa | Express | Mature | 80 | B | | Strapi | Express | Mature | 79 | B | | Saleor | React | Mature | 78 | B | | Documenso | Next.js | Solid | 75 | B | | Nuxt UI | Nuxt | Mature | 74 | C | | Starlight | Astro | Mature | 73 | C | | Plane | Next.js | Solid | 72 | C | | Novu | React | Solid | 71 | C | | Papermark | Next.js | Solid | 70 | C | | Twenty | Next.js | Solid | 69 | C | | Trigger.dev | Next.js | Solid | 68 | C | | Midday | Next.js | Solid | 67 | C | | OpenStatus | Next.js | Solid | 66 | C | | Langfuse | Next.js | Solid | 65 | C | | Vendure | Angular | Solid | 64 | C | | Remix Indie Stack | Remix | Solid | 63 | C | | Astro Docs | Astro | Solid | 61 | C | | Windmill | SvelteKit | Solid | 60 | C | | Typebot | Next.js | Typical | 55 | D | | Rallly | Next.js | Typical | 52 | D | | Inbox Zero | Next.js | Typical | 50 | D | | Captable | Next.js | Typical | 48 | D | | OpenHands | Next.js | Typical | 46 | D | | Svelte Realworld | SvelteKit | Typical | 44 | D | | Angular Realworld | Angular | Typical | 42 | D | | Appsmith | React | Mature | 40 | D |
Scores are from automated benchmark seeding using deterministic scoring based on project maturity tier and framework analysis. See our benchmarks page for methodology.
The pattern nobody expects
Going in, we expected to find the usual suspects: missing CSRF protection, hardcoded secrets, exposed stack traces. The typical security horror stories.
Instead, most projects handle the obvious stuff well. The pattern that emerged:
What developers get right (85%+ pass rate)
.envin.gitignore— Almost universal. Every developer knows this one.- No hardcoded secrets — Same. The one thing every tutorial warns about.
- — or . Basic toolchain behavior.