How secure are Zimbabwe's biggest websites?
We ran a passive, external security check on 17 prominent organisations across 6 sectors — and graded each one A–F. The results are sobering.
Last scanned 2026-06-30
7/17
scored an F
D
national average (53/100)
13/17
don't force HTTPS (no HSTS)
5/17
can be email-spoofed (no DMARC)
The grade spread
3
sites
2
sites
4
sites
1
sites
7
sites
Only 3 of 17 organisations reached an A. The rest leave visitors — and their own brand — exposed to entirely preventable attacks.
By sector
Banking
5 sites · avg 78/100
Telecom
3 sites · avg 54/100
Government
2 sites · avg 53/100
Media
3 sites · avg 48/100
Retail
2 sites · avg 30/100
Insurance
2 sites · avg 23/100
The full leaderboard
Anonymised to sector level. Each organisation can claim its named, detailed breakdown — free.
| # | Organisation | Grade | Score | HTTPS | HSTS | CSP | XFO | XCTO | Ref | SPF | DMARC |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Bank A | A | 100 | ||||||||
| 2 | Bank B | A | 94 | ||||||||
| 3 | Government A | A | 90 | ||||||||
| 4 | Bank C | B | 84 | ||||||||
| 5 | Bank D | B | 84 | ||||||||
| 6 | Telecom A | C | 73 | ||||||||
| 7 | Telecom B | C | 60 | ||||||||
| 8 | Media A | C | 60 | ||||||||
| 9 | Retailer A | C | 60 | ||||||||
| 10 | Media B | D | 54 | ||||||||
| 11 | Bank E | F | 30 | ||||||||
| 12 | Telecom C | F | 30 | ||||||||
| 13 | Insurer A | F | 30 | ||||||||
| 14 | Media C | F | 30 | ||||||||
| 15 | Government B | F | 15 | ||||||||
| 16 | Insurer B | F | 15 | ||||||||
| 17 | Retailer B | F | 0 |
Is your organisation on this list?
We'll send you the named, full breakdown of where you sit — every check, every gap, and exactly how to fix it. No cost, no obligation.
How we scored — and what we didn't do
Every grade comes from a passive, external check of public signals only: whether the site serves a working HTTPS response, which security headers it sends (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy), and whether the domain publishes SPF and DMARC records to stop email spoofing. We did not log in, probe aggressively, scan for vulnerabilities, or touch anything private. It is the same read-only methodology any visitor's browser already performs.
Scores are out of 100, weighted toward the highest-impact protections (working HTTPS and email anti-spoofing carry the most weight). Grades: A 90+, B 75–89, C 60–74, D 40–59, F below 40.
Results reflect what was observable on 2026-06-30. A site that did not return a response within the scan window is recorded as unreachable over HTTPS at that moment, which affects its score. Organisations are anonymised to sector level by design — this index is about the national picture, not singling anyone out. Any organisation can claim its entry to receive the named detail and have it re-checked.
Methodology and tooling are the same passive checks available free in our security tools.