Research

We scanned 50 Nigerian business websites. 43 scored F.

April 2026 | 5 min read

We ran our security header scanner against 50 Nigerian business websites. Restaurants, salons, logistics companies, fashion brands, tech startups. All real businesses with real customers.

The results were bad.

86%

of Nigerian business websites scored F on our security audit

What we checked

We didn't try to hack anything. We checked publicly visible information that any browser can see: HTTP security headers. These are instructions your website sends to browsers telling them how to behave securely.

Specifically, we checked for 7 security headers and 2 NDPA compliance indicators:

Content-Security-Policy (CSP) prevents hackers from injecting malicious scripts into your pages
Strict-Transport-Security (HSTS) forces all connections to use encryption
X-Frame-Options stops your site from being embedded in fake pages (clickjacking)
X-Content-Type-Options prevents browsers from misinterpreting file types
Referrer-Policy controls what information leaks when visitors click links
Permissions-Policy blocks websites from accessing your camera, microphone, and location without permission
Cookie consent required by NDPA Section 25
Privacy policy page required by NDPA Sections 26-27

What we found

Out of 50 sites:

43 scored F (missing 3 or more critical headers)
4 scored D (had HTTPS but nothing else)
2 scored C (had some headers, missing CSP)
1 scored A (full security headers + NDPA compliance)

The most common missing header was Content-Security-Policy. 48 out of 50 sites had no CSP at all. This means any script can run on those pages. If an attacker finds a way to inject JavaScript, there is nothing stopping it.

Why this matters for your business

You might think "I'm just a small salon" or "my website only shows my menu." But here's what an F-grade website means for your business:

Your customers' data is at risk. Without CSP, an attacker can steal form submissions, including names, phone numbers, and emails.
You're not NDPA compliant. The Nigeria Data Protection Act requires businesses to protect personal data. Missing security headers is a failure to implement "appropriate technical measures."
Google notices. Chrome flags insecure sites. Search rankings drop. Customers see warnings and leave.
You look unprofessional. Any security-aware customer or partner can check your headers in 5 seconds. A tech-savvy investor checking your site before a meeting will see the gaps.

The fix is simple

Adding security headers takes a developer about 30 minutes. It's not expensive. It's not complicated. It's just not being done because most Nigerian web developers don't think about it.

Here's what a properly secured website looks like:

All 7 security headers present and configured correctly
Cookie consent banner for NDPA compliance
Privacy policy page with data subject contact information
SSL certificate active and enforced

Scan your own website

Find out your score in 10 seconds. Free, no signup required.

Scan now on Securva

If your site scores below a B, you should fix it. If you don't know how, Pejji builds secure websites with all of this included from day one.