We Scanned the Moz Top 500. Even the Internet's Giants Are Missing the Basics.

Google's own properties are among them. play.google.com, docs.google.com, maps.google.com, and multiple regional Google domains all returned 302s to externally-controlled URLs when VibeLeak probed the redirect parameter.

These are one-line fixes. X-Content-Type-Options: nosniff takes ten seconds to add in nginx, Apache, or Vercel. HSTS is a single header once HTTPS is stable. CSP requires more thought, but a baseline policy is not a week-long project.

• 188 sites (43.9%) send cookies without SameSite
• 138 sites (32.2%) send cookies without HttpOnly
• 108 sites (25.2%) send cookies without Secure

On HTTPS sites, Secure should be mandatory. HttpOnly on session cookies should be mandatory. SameSite=Lax at minimum should be mandatory. These are not advanced hardening steps. They are the baseline for modern cookie hygiene.

Two of those buckets appeared to be publicly listable, including one on a Google support subdomain where unauthenticated probes returned object listings. Eight out of 428 sounds small — until you consider what a publicly listable bucket can contain. User uploads. Database exports. Backup files. Internal assets. One exposed bucket can undo every other security control on the site.

• Wikipedia-style reference sites can still carry fixable header gaps such as CSP, X-Frame-Options, and Referrer-Policy.
• Large search and platform properties frequently showed redirect, cookie, or header findings that would cap them below the top bands today.
• Amazon regional properties were inconsistent across the historical scan set, which is a useful reminder that security posture is domain-specific.
• The strict current model reserves 100/100 for zero findings; any site with findings should be discussed by findings and current rescan result, not by stale launch-era grade claims.

It says the basics are still not basic enough. Most security breaches do not start with a zero-day exploit. They start with a missing header, a cookie without HttpOnly, or a redirect that nobody validated. The Moz 500 scan proves that even sites with infinite resources still ship these gaps. For smaller teams, the risk is higher because the detection time is longer.

Across the Moz 500, the top sites generally scored well on AI signals, which makes sense: companies at this scale are already indexed, cited, and routed by AI systems. AI visibility is most valuable for smaller companies and new products trying to get their foot in the door. When you are not already in every training corpus, structured metadata, clean robots policy, and protocol-level breadcrumbs are how agents find you. The Moz 500 scan confirms that discoverability is not the problem for the giants. Security hygiene is.

Run a VibeLeak scan on your site right now. It takes thirty seconds. You will get a grade, a percentile rank against the live corpus, and a prioritized list of findings with copy-paste remediation steps.

• If Google and Amazon are still missing Referrer-Policy, there is a good chance your site is too.
• The difference is that they have teams to catch incidents after they happen. Most teams do not.
• Scan first. Fix what moves the grade. Recheck to prove it worked.

Methodology: VibeLeak scanned 428 reachable domains from the Moz Top 500 list using its full public trust surface modules: TrustScan (headers, transport), ShieldCheck (cookies, TLS), ThreatSurface (redirects, auth, rate limiting), CloudLeak (exposed storage), TechScan (version disclosure), DeployCheck (deployment artifacts), and DataLeak (sensitive file exposure). Scans were run on 2026-05-05. This article is a historical corpus snapshot; live grades now use the canonical S 98-100, A 90-97, B 75-89, C 55-74, D 35-54, F 0-34 model, with 100/100 reserved for zero findings.