We Scanned 20 Nigerian Enterprises. 64% Lack Basic Security Headers.
Every day, millions of Nigerians trust their banks, mobile networks, and fintech apps with sensitive personal data. But how well are these platforms actually protecting that data at the infrastructure level?
We decided to find out.
Our research team at Securva ran a Phase 1 DNS infrastructure mapping across 20 major Nigerian organizations spanning banking, telecommunications, fintech, e-commerce, and government. The results were sobering: nearly two-thirds of the live hosts we discovered are missing a basic security header that has been an industry standard for over a decade.
This is not a theoretical risk. It is a measurable, fixable gap - and it affects some of the biggest names in the Nigerian digital economy.
What We Did
We conducted passive DNS reconnaissance against 20 organizations across five sectors:
- Banking - including Central Bank of Nigeria (CBN) and five of the largest commercial banks
- Telecommunications - all four major carriers
- Fintech - four leading payment and digital banking platforms
- E-commerce - two major online marketplaces
- Government/Regulatory - two key technology and communications agencies
Our methodology was straightforward. We enumerated subdomains, confirmed which hosts were alive, fingerprinted their technology stacks, and checked for the presence of critical security headers. No exploitation was attempted. No vulnerabilities were probed. This was purely an outside-in assessment of publicly visible infrastructure.
The HSTS Problem
HTTP Strict Transport Security (HSTS) is a security header that tells browsers to only communicate with a website over encrypted HTTPS connections. Without it, users can be silently downgraded to unencrypted HTTP, making them vulnerable to man-in-the-middle attacks where attackers can intercept login credentials, session tokens, and personal data.
HSTS has been around since 2012. It is trivial to implement - a single line in your web server configuration.
Yet only 425 of 1,180 alive hosts (36%) had HSTS enabled.
That means 755 hosts - 64% - lack this basic protection.
To put this in context: a customer logging into their bank on a public Wi-Fi network at a Lagos coffee shop could have their session hijacked if that bank's subdomain does not enforce HSTS. The attack is well-documented, easy to execute, and completely preventable.
This is not a niche concern. We are talking about the infrastructure serving tens of millions of Nigerian users daily.
Forgotten Servers and Shadow Infrastructure
Beyond the HSTS gap, we found 57 hosts displaying default web server pages - the generic "Welcome to nginx" or "IIS Windows Server" pages that ship with a fresh installation.
These are servers that were spun up, assigned a subdomain, pointed at via DNS, and then either forgotten or never properly configured. Each one represents a potential entry point. Default installations often ship with known vulnerabilities, debugging features enabled, or administrative interfaces exposed.
One major Nigerian bank had multiple subdomains pointing to default server pages. A leading fintech platform had similar exposures. These are not hypothetical risks - they are live, publicly reachable hosts that an attacker could discover in minutes using the same techniques we used.
Who Is Protecting What
The technology and Content Delivery Network (CDN) distribution tells an interesting story about how Nigerian enterprises approach infrastructure security:
| Technology | Hosts |
|---|---|
| Cloudflare | 292 |
| Akamai | 291 |
| F5 Distributed Cloud | 213 |
| Nginx | 109 |
| Windows Server / IIS | 83 |
| ASP.NET | 81 |
| Imperva WAF | 72 |
Cloudflare and Akamai are nearly tied as the dominant CDN providers, which is encouraging - both offer robust security features out of the box. F5 Distributed Cloud also has a significant footprint.
However, having a CDN or WAF in front of your application does not automatically mean your security headers are configured correctly. Many of those 755 hosts without HSTS are sitting behind these very platforms. The tools are there. They are just not being configured properly.
We also noted 83 hosts running Windows Server with IIS (Internet Information Services) and 81 running ASP.NET. Legacy Microsoft stacks are not inherently insecure, but they require diligent patching and configuration - something that becomes harder to maintain as these deployments age.
The Tech Stack Landscape
On the application side, the fingerprinting revealed a diverse but telling picture:
| Technology | Hosts |
|---|---|
| jQuery | 88 |
| Node.js | 74 |
| Bootstrap | 51 |
| React | 45 |
| Google Analytics | 43 |
| Next.js | 37 |
| PHP | 37 |
| MySQL | 37 |
The mix of modern frameworks alongside older technology stacks suggests that many organizations are running parallel infrastructure - newer customer-facing applications built on React or Next.js alongside legacy internal systems running PHP or jQuery. Each of these surfaces needs its own security attention, and the legacy systems are often the ones that get neglected.
What This Means for NDPA Compliance
The Nigeria Data Protection Act (NDPA), signed into law in 2023, and its accompanying regulations under the Nigeria Data Protection Commission (NDPC) impose real obligations on organizations that process personal data.
Under the NDPA, data controllers and processors must implement "appropriate technical and organisational measures" to protect personal data. The NDPC has been increasingly active in enforcement, moving sector by sector through banking, education, and payments, with telecommunications, healthcare, and e-commerce expected next.
Here is the uncomfortable truth: missing HSTS headers and misconfigured servers are exactly the kind of "inappropriate technical measures" that draw regulatory attention. If a data breach occurs and an investigation reveals that basic, well-known security controls were not in place, the organization's compliance posture becomes very difficult to defend.
The fines under NDPA can reach up to 2% of annual gross revenue or 10 million naira (whichever is greater) for data controllers. For a major Nigerian bank or telco, 2% of gross revenue is not a rounding error.
Beyond fines, there is reputational damage. Nigerian consumers are becoming more aware of data privacy. A headline reading "Bank X exposed customer data because it forgot to enable a basic security setting" is the kind of story that moves accounts.
What Nigerian Businesses Should Do
The good news is that every issue we identified in this scan is fixable, most of them within hours. Here is a practical checklist:
1. Enable HSTS on every public-facing host. This is a single configuration line. For Nginx, it is add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; For Apache, IIS, and CDN providers, equivalent settings exist. There is no valid reason for a production host to lack this header in 2026.
2. Audit your DNS records. Every subdomain in your DNS should point to a host that serves a purpose. If you find subdomains pointing to default server pages or hosts that no longer serve a function, remove the DNS records and decommission the servers.
3. Implement a full security header policy. HSTS is the floor, not the ceiling. Your hosts should also have Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers configured.
4. Patch and update legacy stacks. If you are running jQuery, PHP, or older Windows Server installations, ensure they are on the latest supported versions with all security patches applied.
5. Run regular external scans. The kind of reconnaissance we performed is exactly what attackers do before they strike. The difference is that we are telling you about it. You should be doing this to yourself on a regular schedule.
6. Document everything for NDPA compliance. The NDPC wants to see evidence that you are taking data protection seriously. Regular security assessments, remediation timelines, and configuration audits all build the compliance record you need.
The Bottom Line
Nigerian enterprises are investing in modern infrastructure. The presence of Cloudflare, Akamai, React, and Next.js across these organizations shows that the technology choices are often sound. But technology only protects you if it is configured correctly.
64% of the hosts we scanned are missing a security header that takes five minutes to enable. 57 servers are sitting on the public internet showing default installation pages. These are not sophisticated vulnerabilities. They are oversights - and they are the oversights that attackers exploit first.
The NDPC is watching. Your customers are trusting you. The fixes are straightforward.
Scan your own website
Find out your security grade in under 60 seconds. Free, no signup required.
Scan now on SecurvaNeed help fixing what you find? The team at Pejji builds secure, NDPA-compliant websites and can remediate infrastructure issues fast. Start with a free consultation.
Ethical Disclaimer
This research was conducted by the Securva Research Team as part of our ongoing Nigerian Digital Infrastructure Security series. All scanning was performed passively against publicly accessible infrastructure. No exploitation or unauthorized access was attempted. No vulnerabilities were probed. Organizations are not identified alongside specific vulnerabilities. The goal of this research is to raise awareness and help Nigerian businesses improve their security posture.