From 569ddd969979e1e877e3a75082b5b50a8b095fa9 Mon Sep 17 00:00:00 2001
From: Lord Rupert Everton <83113194+lord-r3@users.noreply.github.com>
Date: Fri, 8 Nov 2024 09:29:37 +0100
Subject: [PATCH] Update security.md

Comments and text fixes for the security chapter
---
 src/content/en/2024/security.md | 209 +++++++++++++++++---------------
 1 file changed, 114 insertions(+), 95 deletions(-)

diff --git a/src/content/en/2024/security.md b/src/content/en/2024/security.md
index ac9f9277d55..7e14c6ae052 100644
--- a/src/content/en/2024/security.md
+++ b/src/content/en/2024/security.md
@@ -21,15 +21,17 @@ featured_stat_label_3: TODO
 
 ## Introduction
 
-With how much of our lives happen online these days - whether it's staying in touch, following the news, buying, or even selling products online - web security has never been more important. Unfortunately, the more we rely on these online services, the more appealing they become to malicious actors. As we've seen time and time again, even a single weak spot in the systems we depend on can lead to disrupted services, stolen personal data, or worse. The past two years have been no exception, with a rise in <a hreflang="en" href="https://blog.cloudflare.com/ddos-threat-report-for-2024-q2/">Denial-of-Service (DoS) attacks</a>, <a hreflang="en" href="https://www.imperva.com/resources/resource-library/reports/2024-bad-bot-report/">bad bots</a>, and <a hreflang="en" href="https://www.darkreading.com/vulnerabilities-threats/rising-tide-of-software-supply-chain-attacks">supply-chain attacks targeting the Web</a> like never before.
+With how much of our lives happen online these days - whether it's staying in touch, following the news, buying, or even selling products online - web security has never been more important. Unfortunately, the more we rely on these online services, the more appealing they become to malicious actors. As we've seen repeatedly, even a single weak spot in systems we depend on can lead to disrupted services, stolen personal data, or worse. The past two years have been no exception, with a rise in <a hreflang="en" href="https://blog.cloudflare.com/ddos-threat-report-for-2024-q2/">Denial-of-Service (DoS) attacks</a>, <a hreflang="en" href="https://www.imperva.com/resources/resource-library/reports/2024-bad-bot-report/">bad bots</a>, and <a hreflang="en" href="https://www.darkreading.com/vulnerabilities-threats/rising-tide-of-software-supply-chain-attacks">supply-chain attacks targeting the Web</a> like never before.
 
-In this chapter, we take a closer look at the current state of web security by analyzing the protections and security practices used by websites today. We explore key areas like Transport Layer Security (TLS), cookie protection mechanisms, and safeguards against third-party content inclusion. We'll discuss how these security measures help prevent attacks, as well as highlight common misconfigurations that can undermine them. Additionally, we examine some of the harmful practices still present on the web, such as the widespread use of cryptominers.
+Comment: Maybe explain what bad bots are. DoS and SUS-Attacks are well-known terms I would argue, however, "bad bots" is something I read for the first time.
 
-We also investigate the factors driving security practices, analyzing whether elements like country, website category, or technology stack influence the security measures in place. By comparing this year's findings with those from the [2022 Web Almanac](../2022/security), we highlight key changes and assess long-term trends. This allows us to provide a broader perspective on the evolution of web security practices and the progress made over the years.
+In this chapter, we take a closer look at the current state of web security by analyzing the protections and security practices used by websites today. We explore key areas like Transport Layer Security (TLS), cookie protection mechanisms, and safeguards against third-party content inclusion. We'll discuss how these security measures help prevent attacks and highlight common misconfigurations that can undermine them. Additionally, we examine some harmful practices on the web, such as the widespread use of cryptominers.
 
-## Transport security
+We also investigate the factors driving security practices, analyzing whether elements like country, website category, or technology stack influence the security measures. We highlight key changes and assess long-term trends by comparing this year's findings with those from the [2022 Web Almanac](../2022/security). This allows us to provide a broader perspective on the evolution of web security practices and the progress made over the years.
 
-[HTTPS](https://developer.mozilla.org/docs/Glossary/https) uses Transport Layer Security (<a hreflang="en" href="https://www.cloudflare.com/en-gb/learning/ssl/transport-layer-security-tls/">TLS</a>) to secure the connection between client and server. Over the past years, the number of sites using TLS has increased tremendously. As in previous years, adoption of TLS continued to increase, but that increase is slowing down as it closes in to 100%.
+## Transport Layer Security
+
+[HTTPS](https://developer.mozilla.org/docs/Glossary/https) uses Transport Layer Security (<a hreflang="en" href="https://www.cloudflare.com/en-gb/learning/ssl/transport-layer-security-tls/">TLS</a>) to secure the connection between client and server. Over the past years, the number of sites using TLS has increased tremendously. As in previous years, the adoption of TLS continued to increase, but that increase is slowing down as it closes in on 100%.
 
 {{ figure_markup(
   content="98%",
@@ -51,11 +53,11 @@ The number of requests served using TLS climbed another 4% to 98.12% on mobile s
   )
 }}
 
-The number of homepages served over HTTPS on mobile increased from 89% to 95.6%. This percentage is lower than the number of requests served over HTTPS due to the high number of third-party resources websites load, which are more likely to be served over HTTPS.
+The number of homepages served over HTTPS on mobile increased from 89% to 95.6%. This percentage is lower than the number of requests served over HTTPS due to the high number of third-party resource websites load, which are more likely to be served over HTTPS.
 
 ### Protocol versions
 
-Over the years, multiple new versions of TLS have been created. In order to remain secure, it is important to use an up to date version of TLS. The latest version is <a hreflang="en" href="https://www.cloudflare.com/en-in/learning/ssl/why-use-tls-1.3/">TLS1.3</a>, which has been the preferred version for a while. Compared to TLS1.2, version 1.3 deprecates some cryptographic protocols still included in 1.2 that were found to have certain flaws and it enforces perfect forward secrecy. Support for older versions of TLS have long been removed by major browser vendors. QUIC (Quick UDP Internet Connections), the protocol underlying HTTP/3 also uses TLS, providing similar security guarantees as TLS1.3.
+Over the years, multiple new versions of TLS have been created. To remain secure, it is important to use an up-to-date version of TLS. The latest version is <a hreflang="en" href="https://www.cloudflare.com/en-in/learning/ssl/why-use-tls-1.3/">TLS1.3</a>, which is the preferred option from a security point of view. Compared to TLS1.2, version 1.3 deprecates some cryptographic protocols still included in 1.2, like AES-CBC, that were found to have flaws under certain conditions. TLS1.3 also enforces perfect forward secrecy. Major browser vendors have long removed support for older versions of TLS. QUIC (Quick UDP Internet Connections), the protocol underlying HTTP/3 also uses TLS, providing similar security guarantees as TLS1.3.
 
 {{ figure_markup(
   image="tls-versions.png",
@@ -67,13 +69,15 @@ Over the years, multiple new versions of TLS have been created. In order to rema
   )
 }}
 
-We find that TLS1.3 is supported and used by 73.03% of web pages. The use of TLS1.3 overall has grown, even though QUIC has gained significant use compared to 2022, moving from 0% to almost 10% of mobile pages. The use of TLS1.2 continues to decrease as expected. Compared to the last Almanac it decreased by more than 12% for mobile pages, while TLS1.3 has increased by a bit over 2%. It is expected that the adoption of QUIC will continue to rise, as the use of TLS1.2 will continue to decrease.
+We find that TLS1.3 is supported and used by 73.03% of web pages. The use of TLS1.3 overall has grown, even though QUIC has gained significant use compared to 2022, moving from 0% to almost 10% of mobile pages. The use of TLS1.2 continues to decrease as expected. Compared to the last Almanac, it declined by more than 12% for mobile pages, while TLS1.3 has increased by over 2%. It is expected that the adoption of QUIC will continue to rise, as the use of TLS1.2 continues to decrease.
+
+We assume most websites don't move from TLS1.2 directly to QUIC, but rather that most sites using QUIC migrated from TLS1.3, and others moved from TLS1.2 to TLS1.3, thereby giving the appearance of limited growth of TLS1.3.
 
-We assume most websites don't move from TLS1.2 directly to QUIC, but rather that most sites using QUIC migrated from TLS1.3 and others moved from TLS1.2 to TLS1.3, thereby giving the appearance of limited growth of TLS1.3.
+Comment: Do we have data that supports this claim?
 
 ### Cipher suites
 
-Before client and server can communicate, they have to agree upon the cryptographic algorithms, known as <a hreflang="en" href="https://learn.microsoft.com/en-au/windows/win32/secauthn/cipher-suites-in-schannel">cipher suites</a>, to use. Like last time, over 98% of requests are served using a Galois/Counter Mode (<a hreflang="en" href="https://en.wikipedia.org/wiki/Galois/Counter_Mode">GCM</a>) cipher, which is considered the most secure option, due to them not being vulnerable to <a hreflang="en" href="https://blog.qualys.com/product-tech/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities">padding attacks</a>. Also unchanged is the almost 79% of requests using a 128-bit key, which is still considered a secure key-length for AES in GCM mode. There are only a handful of suites used on the visited pages. TLS1.3 <a hreflang="en" href="https://datatracker.ietf.org/doc/html/rfc8446#page-133">only supports GCM and other modern block cipher modes</a>, which also simplifies its <a hreflang="en" href="https://go.dev/blog/tls-cipher-suites">cipher suite ordering</a>.
+Before client and server can communicate, they have to agree upon the cryptographic algorithms, known as <a hreflang="en" href="https://learn.microsoft.com/en-au/windows/win32/secauthn/cipher-suites-in-schannel">cipher suites</a>, to use. Like in the last version of the Almanac, over 98% of requests are served using a Galois/Counter Mode (<a hreflang="en" href="https://en.wikipedia.org/wiki/Galois/Counter_Mode">GCM</a>) cipher, which is considered the most secure option, due to this mode not being vulnerable to <a hreflang="en" href="https://blog.qualys.com/product-tech/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities">padding attacks</a>. Also unchanged is the fact that almost 79% of requests using a 128-bit key, which is still considered a secure key length for AES in GCM mode. There are only a handful of suites used on the visited pages. TLS1.3 <a hreflang="en" href="https://datatracker.ietf.org/doc/html/rfc8446#page-133">only supports GCM and other modern block cipher modes</a>, which also simplifies its <a hreflang="en" href="https://go.dev/blog/tls-cipher-suites">cipher suite ordering</a>.
 
 {{ figure_markup(
   image="cipher-suites.png",
@@ -85,7 +89,9 @@ Before client and server can communicate, they have to agree upon the cryptograp
   )
 }}
 
-TLS1.3 makes <a hreflang="en" href="https://en.wikipedia.org/wiki/Forward_secrecy">forward secrecy</a> required, which means it is highly supported on the web. Forward Secrecy is a feature that assures that in case a key in use is leaked, it cannot be used to decrypt future or past messages sent over a connection. This is important to ensure that adversaries storing long-term traffic cannot decrypt the entire conversation as soon as they are able to leak a key. Interestingly, the use of forward secrecy dropped by almost 2% this year, to 95.38%.
+TLS1.3 makes <a hreflang="en" href="https://en.wikipedia.org/wiki/Forward_secrecy">forward secrecy</a> required, which means it is highly supported on the web. Forward Secrecy is a feature that assures that if a key in use is leaked, it cannot be used to decrypt future or past messages sent over a connection. This is important to ensure that adversaries storing long-term traffic cannot decrypt the entire conversation as soon as they can leak a key. Interestingly, the use of forward secrecy dropped by almost 2% this year, to 95.38%.
+
+Comment: Before we say that TLS enforces perfect forward secrecy here we only describe forward secrecy. Maybe clarify this?
 
 {{ figure_markup(
   image="forward-secrecy.png",
@@ -99,7 +105,7 @@ TLS1.3 makes <a hreflang="en" href="https://en.wikipedia.org/wiki/Forward_secrec
 
 ### Certificate Authorities
 
-In order to use TLS, servers must first get a certificate they can host, which is created by a <a hreflang="en" href="https://www.ssl.com/faqs/what-is-a-certificate-authority/">Certificate Authority</a> (CA). By retrieving a certificate from one of the trusted CAs, the certificate will be recognized by the browser, thus allowing the user to use the certificate and therefore TLS for their secure communication.
+To use TLS, servers must first get a certificate they can host, which is created by a <a hreflang="en" href="https://www.ssl.com/faqs/what-is-a-certificate-authority/">Certificate Authority</a> (CA). By retrieving a certificate from one of the trusted CAs, the certificate will be recognized by the browser, thus allowing the user to use the certificate and, therefore, TLS for their secure communication.
 
 <figure>
   <table>
@@ -166,11 +172,11 @@ In order to use TLS, servers must first get a certificate they can host, which i
   <figcaption>{{ figure_link(caption="The percentage of sites using a certificate issued by a specific issuer", sheets_gid="1458082974", sql_file="tls_ca_issuers_pages.sql") }}</figcaption>
 </figure>
 
-R3 (an intermediate certificate from <a hreflang="en" href="https://letsencrypt.org/">Let's Encrypt</a>) still leads the charts, although usage dropped compared to last year. Also from Let's Encrypt are the E1, R10 and R11 intermediary certificates that are rising in percentage of websites using them.
+R3 (an intermediate certificate from <a hreflang="en" href="https://letsencrypt.org/">Let's Encrypt</a>) still leads the charts, although usage dropped compared to last year. Also from Let's Encrypt are the E1, R10, and R11 intermediary certificates that are rising in the percentage of websites using them.
 
-<a hreflang="en" href="https://letsencrypt.org/2024/03/19/new-intermediate-certificates.html">R3 and E1 were issued in 2020 and are only valid for 5 years</a>, which means it will <a hreflang="en" href="https://crt.sh/?id=3334561879">expire in September 2025</a>. Around a year before the expiry of intermediate certificates, Let's Encrypt issues new intermediates that will gradually take over from the older ones. <a hreflang="en" href="https://letsencrypt.org/2024/03/19/new-intermediate-certificates.html">This March, Let's Encrypt issued their new intermediates</a>, which include R10 and R11 that are only valid for 3 years. These latter two certificates will take over from R3 directly, which should be reflected in next year's Almanac.
-
-Along with the rise in the number of Let's Encrypt issued certificates, other current top 10 providers have seen a decrease in their share of certificates issued, except for GTS CA 1P5 that rose from close to 0% to over 6.5% on mobile. Of course it is possible that at the time of our analysis a CA was in the process of switching intermediate certificates, which could mean they serve a larger percentage of sites than reflected.
+<a hreflang="en" href="https://letsencrypt.org/2024/03/19/new-intermediate-certificates.html">R3 and E1 were issued in 2020 and are only valid for 5 years</a>, which means it will <a hreflang="en" href="https://crt.sh/?id=3334561879">expire in September 2025</a>. Around a year before the expiry of intermediate certificates, Let's Encrypt issues new intermediates that will gradually take over from the older ones. <a hreflang="en" href="https://letsencrypt.org/2024/03/19/new-intermediate-certificates.html">This March, Let's Encrypt issued their new intermediates</a>, which include R10 and R11 that are only valid for 3 years. These two certificates will take over from R3 directly, which should be reflected in next year's Almanac.
+ 
+Along with the rise in the number of Let's Encrypt-issued certificates, other current top 10 providers have seen a decrease in their share of certificates issued, except for GTS CA 1P5, which rose from close to 0% to over 6.5% on mobile. Of course, it is possible that at the time of our analysis, a CA was in the process of switching intermediate certificates, which could mean they serve a larger percentage of sites than reflected.
 
 {{ figure_markup(
   content="56%",
@@ -180,7 +186,7 @@ Along with the rise in the number of Let's Encrypt issued certificates, other cu
   sql_file="TODO.sql",
 ) }}
 
-When we sum together the use of all certificates of Let's Encrypt, we find that they issue over 56% of the certificates currently in use.
+When we sum up the use of all Let's Encrypt certificates, we find that they issue over 56% of the certificates currently in use.
 
 ### HTTP Strict Transport Security
 
@@ -194,7 +200,7 @@ When we sum together the use of all certificates of Let's Encrypt, we find that
   sql_file="TODO.sql",
 ) }}
 
-Currently, 30% of responses on mobile have a HSTS header, which is a 5% increase compared to 2022. Users of the header can communicate directives to the browser by adding them to the header value. The `max-age` directive is obligated. It indicates to the browser the time it should continue to only visit the page over HTTPS in seconds.
+Currently, 30% of mobile responses have an HSTS header, a 5% increase compared to 2022. Users of the header can communicate directives to the browser by adding them to the header value. The `max-age` directive is obligated. It indicates to the browser the time it should continue to visit the page only over HTTPS in seconds.
 
 {{ figure_markup(
   image="hsts-directives.png",
@@ -206,7 +212,7 @@ Currently, 30% of responses on mobile have a HSTS header, which is a 5% increase
   )
 }}
 
-The share of requests with a valid `max-age` has remained unchanged at 95%. The other , optional, directives (`includeSubdomains` and `preload`) both see a slight increase of 1% compared to 2022 to 35% and 18% on mobile respectively. The `preload` directive, which [is not part of the HSTS specification](https://developer.mozilla.org/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security), requires the `includeSubdomains` to be set and also requires a `max-age` larger than 1 year (or 31,536,000 seconds).
+The share of requests with a valid `max-age` has remained unchanged at 95%. The other optional directives (`includeSubdomains` and `preload`) both see a slight increase of 1% compared to 2022 to 35% and 18% on mobile, respectively. The `preload` directive, which [is not part of the HSTS specification](https://developer.mozilla.org/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security), requires the `includeSubdomains` to be set and also requires a `max-age` larger than 1 year (or 31,536,000 seconds).
 
 {{ figure_markup(
   image="hsts-max-age.png",
@@ -218,13 +224,13 @@ The share of requests with a valid `max-age` has remained unchanged at 95%. The
   )
 }}
 
-The distribution of valid `max-age` values has remained almost the same as in 2022, with the exception that the 10th percentile on mobile has decreased from 72 to 30 days. The median value of `max-age` remains at 1 year.
+The distribution of valid `max-age` values has remained almost the same as in 2022, except that the 10th percentile on mobile has decreased from 72 to 30 days. The median value of `max-age` remains at 1 year.
 
 ## Cookies
 
-Websites can store small pieces of data in a user's browser by setting an HTTP cookie. Depending on the cookie's attributes, it will be sent with every subsequent request to that website. As such, cookies can be used for purposes of implicit authentication, tracking or storing user preferences.
+Websites can store small amounts of data in a user's browser by setting an HTTP cookie. Depending on the cookie's attributes, it will be sent with every subsequent request to that website. Cookies can be used for implicit authentication, tracking the user, or storing user preferences.
 
-When cookies are used for authenticating users, it is paramount to protect them from abuse. For instance, if an adversary gets ahold of a user's session cookie, they could potentially log into the victim's account.
+When cookies are used to authenticate users, it is paramount to protect these cookies from abuse. For instance, if an adversary gets ahold of a user's session cookie, they could log into the victim's account.
 
 To protect their user's from attacks like <a hreflang="en" href="https://owasp.org/www-community/attacks/csrf">Cross-Site Request Forgery (CSRF)</a>,<a hreflang="en" href="https://owasp.org/www-community/attacks/Session_hijacking_attack"> session hi-jacking</a>, <a hreflang="en" href="https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/13-Testing_for_Cross_Site_Script_Inclusion">Cross-Site Script Inclusion (XSSI)</a> and <a hreflang="en" href="https://xsleaks.dev/">Cross-Site Leaks</a>, websites are expected to securely configure authentication cookies.
 
@@ -244,19 +250,19 @@ The three cookie attributes outlined below enhance the security of authenticatio
 
 #### `HttpOnly`
 
-By setting this attribute, the cookie is not allowed to be accessed or manipulated through the JavaScript `document.cookie` API. This prevents a <a hreflang="en" href="https://owasp.org/www-community/attacks/xss/">Cross-Site Scripting (XSS)</a> attack from gaining access to cookies containing secret session tokens.
+The cookie cannot be accessed or manipulated by setting this attribute through the JavaScript `document.cookie` API. This prevents a <a hreflang="en" href="https://owasp.org/www-community/attacks/xss/">Cross-Site Scripting (XSS)</a> attack from gaining access to cookies containing secret session tokens.
 
-With 42% of cookies having the `HttpOnly` attribute in a first-party context on desktop, the usage has risen by 6% compared to 2022. As for third-party requests, the usage has decreased by 1%.
+42% of cookies on a desktop have the `HttpOnly` attribute in a first-party context, which has risen by 6% compared to 2022. As for third-party requests, the usage has decreased by 1%.
 
 #### `Secure`
 
 Browsers only transmit cookies with the `Secure` attribute over secure, encrypted channels, such as HTTPS, and not over HTTP. This ensures that man-in-the-middle attackers cannot intercept and read sensitive values stored in cookies.
 
-The use of the `Secure` attribute has been steadily increasing over the years. Since 2022, an additional 7% of cookies in first-party contexts and 6% in third-party contexts have been configured with this attribute. As discussed in previous editions of the Security chapter, the significant difference in adoption between the two contexts is largely due to the requirement that third-party cookies with `SameSite=None` must also be marked as `Secure`. This highlights that additional security prerequisites for enabling desired non-default functionality are an effective driver for the adoption of security features.
+The use of the `Secure` attribute has steadily increased over the years. Since 2022, an additional 7% of cookies in first-party contexts and 6% in third-party contexts have been configured with this attribute. As discussed in previous editions of the Security chapter, the significant difference in adoption between the two contexts is primarily due to the requirement that third-party cookies with `SameSite=None` must also be marked as `Secure`. This highlights that additional security prerequisites for enabling desired non-default functionality are an effective driver for adopting security features.
 
 #### `SameSite`
 
-The most recently introduced cookie attribute, `SameSite`, allows developers to control whether a cookie is allowed to be included in third-party requests. It is intended as an additional layer of defense against attacks like CSRF.
+The most recently introduced cookie attribute, `SameSite`, allows developers to control whether a cookie can be included in third-party requests. It is intended as an additional layer of defense against attacks like CSRF.
 
 The attribute can be set to one of three values: `Strict`, `Lax`, or `None`. Cookies with the `Strict` value are completely excluded from cross-site requests. When set to `Lax`, cookies are only included in third-party requests under specific conditions, such as navigational GET requests, but not POST requests. By setting `SameSite=none`, the cookie bypasses the same-site policy and is included in all requests, making it accessible in cross-site contexts.
 
@@ -270,9 +276,9 @@ The attribute can be set to one of three values: `Strict`, `Lax`, or `None`. Coo
   )
 }}
 
-While the relative number of cookies with a `SameSite` attribute has increased compared to 2022, this rise is largely attributable to cookies being explicitly excluded from the same-site policy by setting `SameSite=None`.
+While the relative number of cookies with a `SameSite` attribute has increased compared to 2022, this rise is mainly attributable to cookies being explicitly excluded from the same-site policy by setting `SameSite=None`.
 
-It's important to note that all cookies without a `SameSite` attribute are treated as `SameSite=Lax` by default. Consequently, a total of 75% of cookies set in a first-party context are effectively treated as if they were set to `Lax`.
+It's important to note that all cookies without a `SameSite` attribute are treated as `SameSite=Lax` by default. Consequently, 75% of cookies set in a first-party context are effectively treated as if they were set to `Lax`.
 
 ### Prefixes
 
@@ -303,7 +309,7 @@ It's important to note that all cookies without a `SameSite` attribute are treat
   <figcaption>{{ figure_link(caption="`__Secure-` and `__Host-` prefixes (desktop)", sheets_gid="1849762871", sql_file="cookie_attributes.sql") }}</figcaption>
 </figure>
 
-The adoption of cookie prefixes remains low, with less than 1% of cookies using these prefixes on both desktop and mobile platforms. This is particularly surprising given the high adoption rate of cookies with the `Secure` attribute, the only prerequisite for cookies prefixed with `__Secure-`. However, changing a cookie's name can require significant refactoring, which is presumably a reason why developers tend to avoid this.
+The adoption of cookie prefixes remains low, with less than 1% of cookies using these prefixes on desktop and mobile platforms. This is particularly surprising given the high adoption rate of cookies with the `Secure` attribute, the only prerequisite for cookies prefixed with `__Secure-`. However, changing a cookie's name can require significant refactoring, presumably a reason developers tend to avoid this.
 
 ### Cookie age
 
@@ -319,7 +325,7 @@ Websites can control how long browsers store a cookie by setting its lifespan. B
   )
 }}
 
-The distribution of cookie ages has remained largely unchanged compared to [lat year](../2022/security#cookie-age). However, since then, the <a hreflang="en" href="https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-cookie-lifetime-limits">cookie standard working draft</a> has been updated, capping the maximum cookie age to 400 days. This change has already been implemented in  <a hreflang="en" href="https://developer.chrome.com/blog/cookie-max-age-expires">Chrome</a> and Safari. Based on the percentiles shown above, in these browsers, more than 10% of all observed cookies have their age capped to this 400-day limit.
+The distribution of cookie ages has mainly remained unchanged compared to [last year](../2022/security#cookie-age). However, since then, the <a hreflang="en" href="https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-cookie-lifetime-limits">cookie standard working draft</a> has been updated, capping the maximum cookie age to 400 days. This change has already been implemented in  <a hreflang="en" href="https://developer.chrome.com/blog/cookie-max-age-expires">Chrome</a> and Safari. Based on the percentiles shown above, more than 10% of all observed cookies have their age capped to this 400-day limit in these browsers.
 
 ## Content inclusion
 
@@ -329,7 +335,7 @@ Content inclusion is a foundational aspect of the Web, allowing resources like C
 
 Websites can exert greater control over their embedded content by deploying a [Content Security Policy (CSP)](https://developer.mozilla.org/docs/Web/HTTP/CSP) through either the `Content-Security-Policy` response header or by defining the policy in a `<meta>` html tag. The wide range of directives available in CSP allows websites to specify, in a fine-grained manner, which resources can be fetched and from which origins.
 
-In addition to vetting included content, CSP can serve other purposes as well, such as enforcing the use of encrypted channels with the `upgrade-insecure-requests` directive and controlling where the site can be embedded to protect against clickjacking attacks using the `frame-ancestors` directive.
+In addition to vetting included content, CSP can serve other purposes, such as enforcing the use of encrypted channels with the `upgrade-insecure-requests` directive and controlling where the site can be embedded to protect against clickjacking attacks using the `frame-ancestors` directive.
 
 {{ figure_markup(
   content="+27%",
@@ -339,9 +345,9 @@ In addition to vetting included content, CSP can serve other purposes as well, s
   sql_file="security_headers_prevalence.sql",
 ) }}
 
-The adoption rate of CSP headers increased from 15% of all hosts in 2022 to 19% this year. This amounts to a relative increase of 27%.  Over these two years, the relative increase was 12% between 2022 and 2023, and 14% between 2023 and 2024.
+The adoption rate of CSP headers increased from 15% of all hosts in 2022 to 19% this year, a relative increase of 27%. Over these two years, the relative increase was 12% between 2022 and 2023 and 14% between 2023 and 2024.
 
-Looking back, overall CSP adoption was only at 12% of hosts in 2021, so it's encouraging to see that growth has remained steady. If this trend continues, projections suggest that CSP adoption will surpass the 20% mark in next year's Web Almanac.
+Looking back, CSP adoption was only at 12% of hosts in 2021, so it's encouraging to see that growth has remained steady. If this trend continues, projections suggest that CSP adoption will surpass 20% in next year's Web Almanac.
 
 #### Directives
 
@@ -357,7 +363,7 @@ Most websites utilize CSP for purposes beyond controlling embedded resources, wi
   )
 }}
 
-The `block-all-mixed-content` directive, which has been deprecated in favor of `upgrade-insecure-requests`, is the third most used directive. Although we observed a relative decrease of 12.5% and 13.8% in its usage between 2020 and 2021, the decline has since slowed to an average yearly decrease of 4.4% for desktop and 6.4% for mobile since 2022.
+The `block-all-mixed-content` directive, which has been deprecated in favor of `upgrade-insecure-requests`, is the third most used directive. Although we observed a relative decrease of 12.5% and 13.8% in usage between 2020 and 2021, the decline has slowed to an average yearly decrease of 4.4% for desktop and 6.4% for mobile since 2022.
 
 <figure>
   <table>
@@ -389,7 +395,7 @@ The `block-all-mixed-content` directive, which has been deprecated in favor of `
   <figcaption>{{ figure_link(caption="Most prevalent CSP headers", sheets_gid="176994530", sql_file="csp_most_common_header.sql") }}</figcaption>
 </figure>
 
-The top three directives also make up the building blocks of the most prevalent CSP definitions. The second most commonly used CSP definition includes both `block-all-mixed-content` and `upgrade-insecure-requests`. This suggests that many websites use `block-all-mixed-content` for backward compatibility, as newer browsers will ignore this directive if `upgrade-insecure-requests` is present.
+The top three directives also comprise the building blocks of the most prevalent CSP definitions. The second most commonly used CSP definition includes `block-all-mixed-content` and `upgrade-insecure-requests`. This suggests that many websites use `block-all-mixed-content` for backward compatibility, as newer browsers will ignore this directive if `upgrade-insecure-requests` is present.
 
 <figure>
   <table>
@@ -463,11 +469,11 @@ The top three directives also make up the building blocks of the most prevalent
 
 All other directives shown in the graph above are used for content inclusion control. Overall, usage has remained relatively stable. However, a notable change is the increased use of the `object-src` directive, which has surpassed `connect-src` and `frame-src`. Since 2022, the usage of `object-src` has risen by 15.9% for desktop and 16.8% for mobile.
 
-Among the most notable decreases in usage is `default-src`, the catch-all directive. This decline could be explained by the increasing use of CSP for purposes beyond content inclusion, such as enforcing HTTP upgrades to HTTPS or controlling the embedding of the current page – situations where `default-src` is not applicable, as these directives don't fallback to it. This change in CSP purpose is confirmed by the most prevalent CSP headers listed in Table [TODO 1], which all have seen an increase in usage since 2022. However, directives like `upgrade-insecure-requests` and `block-all-mixed-content`, while part of these most common CSP headers, are being used less overall, as seen in Table [TODO 2].
+Among the most notable decreases in usage is `default-src`, the catch-all directive. This decline could be explained by the increasing use of CSP for purposes beyond content inclusion, such as enforcing HTTP upgrades to HTTPS or controlling the embedding of the current page – situations where `default-src` is not applicable, as these directives don't fallback to it. This change in CSP purpose is confirmed by the most prevalent CSP headers listed in Table [TODO 1], which all have increased usage since 2022. However, directives like `upgrade-insecure-requests` and `block-all-mixed-content`, while part of these most common CSP headers, are used less overall, as seen in Table [TODO 2].
 
 #### Keywords for `script-src`
 
-One of the most important directives of CSP is `script-src`, as curbing the scripts that can be embedded in the website hinders potential adversaries greatly. This directive can be used with several attribute keywords.
+One of the most important directives of CSP is `script-src`, as curbing the scripts that can be embedded in the website greatly hinders potential adversaries. This directive can be used with several attribute keywords.
 
 {{ figure_markup(
   image="csp-script-src-keywords.png",
@@ -479,7 +485,7 @@ One of the most important directives of CSP is `script-src`, as curbing the scri
   )
 }}
 
-The `unsafe-inline` and `unsafe-eval` directives can significantly reduce the security benefits provided by CSP. The `unsafe-inline` directive permits the execution of inline scripts, while `unsafe-eval` allows the use of the eval JavaScript function. Unfortunately, the use of these insecure practices remains widespread, demonstrating the challenges of avoiding use of inline scripts and use of the `eval` function.
+The `unsafe-inline` and `unsafe-eval` directives can significantly reduce the security benefits CSP provides. The `unsafe-inline` directive permits the execution of inline scripts, while `unsafe-eval` allows using the eval JavaScript function. Unfortunately, the use of these insecure practices remains widespread, demonstrating the challenges of avoiding use of inline scripts and use of the `eval` function.
 
 <figure>
   <table>
@@ -516,11 +522,11 @@ The `unsafe-inline` and `unsafe-eval` directives can significantly reduce the se
   <figcaption>{{ figure_link(caption="Relative usage change of CSP `script-src` keywords", sheets_gid="2075772620", sql_file="csp_script_source_list_keywords.sql") }}</figcaption>
 </figure>
 
-However, the increasing adoption of the `nonce-` and `strict-dynamic` keywords is a positive development. By using the `nonce-` keyword, a secret nonce can be defined, allowing only inline scripts with the correct nonce to execute. This approach is a secure alternative to the unsafe-inline directive for permitting inline scripts. When used in combination with the `strict-dynamic` keyword, nonced scripts are permitted to import additional scripts from any origin. This approach simplifies secure script loading for developers, as it allows them to trust a single nonced script, which can then securely load other necessary resources.
+However, the increasing adoption of the `nonce-` and `strict-dynamic` keywords is a positive development. Using the `nonce-` keyword can define a secret nonce, allowing only inline scripts with the correct nonce to execute. This approach is a secure alternative to the unsafe-inline directive for permitting inline scripts. Nonced scripts can import additional scripts from any origin when combined with the `strict-dynamic` keyword. This approach simplifies secure script loading for developers, allowing them to trust a single nonced script, which can then securely load other necessary resources.
 
 #### Allowed hosts
 
-CSP is often regarded as one of the more complex security policies, partly due to the detailed policy language, providing fine-grained control over resource inclusion.
+CSP is often regarded as one of the more complex security policies, partly because its detailed policy language provides fine-grained control over resource inclusion.
 
 {{ figure_markup(
   image="csp-header-length.png",
@@ -532,17 +538,17 @@ CSP is often regarded as one of the more complex security policies, partly due t
   )
 }}
 
-Reviewing the observed CSP header lengths, we find that 75% of all headers are 75 bytes or shorter. For context, the longest policy among the [Most Prevalent CSP Definitions] Table is also 75 bytes. At the 90th percentile, desktop policies reach 504 bytes and mobile policies 368 bytes, indicating that many websites find it necessary to implement relatively lengthy Content Security Policies. However, when analyzing the distribution of unique allowed hosts across all policies, the 90th percentile shows just 2 unique hosts.
+Reviewing the observed CSP header lengths, we find that 75% of all headers are 75 bytes or shorter. For context, the longest policy among the [Most Prevalent CSP Definitions] Table is also 75 bytes. At the 90th percentile, desktop policies reach 504 bytes and mobile policies 368 bytes, indicating that many websites must implement relatively lengthy Content Security Policies. However, when analyzing the distribution of unique allowed hosts across all policies, the 90th percentile shows just two unique hosts.
 
-The highest number of unique allowed hosts in a policy was 1,020, while the longest Content Security Policy header reached 65,535 bytes. However, this latter header is inflated by a large number of repeated `,` characters for unknown reasons. The second longest CSP header, which is valid, spans 33,123 bytes. This unusually large size is due to hundreds of occurrences of the `adservice.google` domain, each with variations in the top-level domain. Excerpt:
+The most unique allowed hosts in a policy was 1,020, while the longest Content Security Policy header reached 65,535 bytes. However, this latter header is inflated by many repeated `,` characters for unknown reasons. The second longest CSP header, which is valid, spans 33,123 bytes. This unusually large size is due to hundreds of occurrences of the `adservice.google` domain, each with variations in the top-level domain. Excerpt:
 
 ```
 adservice.google.com adservice.google.ad adservice.google.ae …
 ```
 
-This suggests that the long tail of excessively large CSP headers is likely caused by computer-generated exhaustive lists of origins. Although this may seem like a specific edge case, it highlights a limitation of CSP: the lack of regex functionality, which could otherwise provide a more efficient and elegant solution to handle such cases. However, depending on the websites implementation, this issue could also be solved by employing the `strict-dynamic`and `nonce-` keyword in the `script-src` directive, which enables the allowed script with nonce to load additional scripts.
+This suggests that the long tail of excessively large CSP headers is likely caused by computer-generated exhaustive lists of origins. Although this may seem like a specific edge case, it highlights a limitation of CSP: the lack of regex functionality, which could otherwise provide a more efficient and elegant solution to handle such cases. However, depending on the websites implementation, this issue could also be solved by employing the `strict-dynamic` and `nonce-` keyword in the `script-src` directive, which enables the allowed script with nonce to load additional scripts.
 
-The most common HTTPS origins included in CSP headers are used for loading fonts, ads and other media fetched from CDNs:
+The most common HTTPS origins included in CSP headers are used for loading fonts, ads, and other media fetched from CDNs:
 
 <figure>
   <table>
@@ -651,13 +657,13 @@ As for WSS origins, used for allowing WebSockets connections to certain origins,
   <figcaption>{{ figure_link(caption="Most frequently allowed WS(S) hosts in CSP policies", sheets_gid="1790517281", sql_file="csp_allowed_host_frequency_wss.sql") }}</figcaption>
 </figure>
 
-Two of these origins are related to customer service and ticketing (`intercom.io`, `zopim.com`), one is used for website analytics (`hotjar.com`), and two are associated with social media (`www.livejournal.com`, `quora.com`). For four out of the five websites, we found specific instructions on how to add the origin to the website's content security policy. This is considered good practice, as it discourages website administrators from using wildcards to allow third-party resources, which would reduce security by allowing broader access than necessary.
+Two of these origins are related to customer service and ticketing (`intercom.io`, `zopim.com`), one is used for website analytics (`hotjar.com`), and two are associated with social media (`www.livejournal.com`, `quora.com`). For four of the five websites, we found specific instructions on how to add the origin to the website's content security policy. This is considered good practice, as it discourages website administrators from using wildcards to allow third-party resources, which would reduce security by allowing broader access than necessary.
 
 ### Subresource Integrity
 
 While CSP is a powerful tool for ensuring that resources are only loaded from trusted origins, there remains a risk that those resources could be tampered with. For instance, a script might be loaded from a trusted CDN, but if that CDN suffers a security breach and its scripts are compromised, any website using one of those scripts could become vulnerable as well.
 
-[Subresource Integrity (SRI)](https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity) provides a safeguard against this risk. By using the `integrity` attribute in `<script>` and `<link>` tags, a website can specify the expected hash of a resource. If the hash of the received resource does not match the expected hash, the browser will refuse to render the resource, thereby protecting the website from potentially compromised content.
+[Subresource Integrity (SRI)](https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity) provides a safeguard against this risk. Using the `integrity` attribute in `<script>` and `<link>` tags, a website can specify the expected hash of a resource. If the hash of the received resource does not match the expected hash, the browser will refuse to render the resource, thereby protecting the website from potentially compromised content.
 
 {{ figure_markup(
   content="23%",
@@ -679,7 +685,7 @@ SRI is used by 23.2% and 21.3% of all observed pages for desktop and mobile resp
   )
 }}
 
-The adoption of Subresource Integrity seems to be stagnating, with the median percentage of scripts checked against a hash remaining at 3.23% for both desktop and mobile. This figure has remained virtually unchanged since 2022.
+The adoption of Subresource Integrity seems to be stagnating. The median percentage of scripts checked against a hash remains at 3.23% for both desktop and mobile, and this figure has remained unchanged since 2022.
 
 <figure>
   <table>
@@ -736,11 +742,11 @@ The adoption of Subresource Integrity seems to be stagnating, with the median pe
   <figcaption>{{ figure_link(caption="Most common hosts from which SRI-protected scripts are included", sheets_gid="1612151810", sql_file="sri_popular_hosts.sql") }}</figcaption>
 </figure>
 
-Most of the hosts from which resources are fetched and protected by SRI are CDNs. A notable difference from 2022's data is the absence of `cdn.shopify.com` from the top hosts list (previously 22% on desktop and 23% on mobile). This is due to Shopify having dropped SRI in favor of similar functionality provided by the `integrity` attribute of `importmap`, which they explain in a <a hreflang="en" href="https://shopify.engineering/shipping-support-for-module-script-integrity-in-chrome-safari#">blogpost</a>.
+Most hosts from which resources are fetched and protected by SRI are CDNs. A notable difference from 2022's data is the absence of `cdn.shopify.com` from the top hosts list (previously 22% on desktop and 23% on mobile). This is due to Shopify having dropped SRI in favor of similar functionality provided by the `integrity` attribute of `importmap`, which they explain in a <a hreflang="en" href="https://shopify.engineering/shipping-support-for-module-script-integrity-in-chrome-safari#">blogpost</a>.
 
 ### Permissions Policy
 
-The [Permissions Policy](https://developer.mozilla.org/docs/Web/HTTP/Permissions_Policy) (formerly known as the Feature Policy) is a set of mechanisms that allow websites to control which browser features can be accessed on a webpage, such as geolocation, webcam, microphone, and more. By using the Permissions Policy, websites can restrict feature access for both the main site and any embedded content, enhancing security and protecting user privacy. This is configured through the `Permissions-Policy` response header for the main site and all its embedded `<iframe>` elements,. Additionally, web administrators can set individual policies for specific `<iframe>` elements using their `allow` attribute.
+The [Permissions Policy](https://developer.mozilla.org/docs/Web/HTTP/Permissions_Policy) (formerly known as the Feature Policy) is a set of mechanisms that allow websites to control which browser features can be accessed on a webpage, such as geolocation, webcam, microphone, and more. Using the Permissions Policy, websites can restrict feature access for the main site and any embedded content, enhancing security and protecting user privacy. This is configured through the `Permissions-Policy` response header for the main site and all its embedded `<iframe>` elements,. Additionally, web administrators can set individual policies for specific `<iframe>` elements using their `allow` attribute.
 
 {{ figure_markup(
   content="+1.3%",
@@ -750,7 +756,7 @@ The [Permissions Policy](https://developer.mozilla.org/docs/Web/HTTP/Permissions
   sql_file="security_headers_prevalence.sql",
 ) }}
 
-In 2022, the adoption of the `Permissions-Policy` header saw a significant relative increase of 85%. However, from 2022 to this year, the growth rate has drastically slowed to just 1.3%. This is expected, as the Feature Policy was renamed to Permissions Policy at the end of 2020, resulting in an initial peak. In the following years, growth has remained very low since the header is still supported exclusively by Chromium-based browsers.
+In 2022, adopting the `Permissions-Policy` header saw a significant relative increase of 85%. However, from 2022 to this year, the growth rate has drastically slowed to just 1.3%. This is expected, as the Feature Policy was renamed to the Permissions Policy at the end of 2020, resulting in an initial peak. In the following years, growth has remained very low since the header is still supported exclusively by Chromium-based browsers.
 
 <figure>
   <table>
@@ -804,7 +810,7 @@ In 2022, the adoption of the `Permissions-Policy` header saw a significant relat
 
 Only 2.8% of desktop hosts and 2.5% of mobile hosts set the policy using the `Permissions-Policy` response header. The policy is primarily used to exclusively opt out of Google’s Federated Learning of Cohorts (FLoC); 21.3% of hosts that implement the `Permissions-Policy` header set the policy as `interest-cohort=()`. This usage is partly due to the controversy that FLoC sparked during its trial period. Although FLoC was ultimately replaced by the Topics API,  the continued use of the `interest-cohort` directive highlights how specific concerns can shape the adoption of web policies.
 
-All other observed headers with at least 2% of hosts implementing them, are aimed at restricting the permission capabilities of the website itself and/or its embedded `<iframe>` elements. Similar to the Content Security Policy, the Permissions Policy is “open by default” instead of “secure by default”; absence of the policy entails absence of protection. This approach aims to avoid breaking website functionality when introducing new policies. Notably, 0.28% of sites explicitly use the `*` wildcard policy, allowing the website and all embedded `<iframe>` elements (where no more restrictive `allow` attribute is present) to request any permission - though this is the default behavior when the Permissions Policy is not set.
+All other observed headers, with at least 2% of hosts implementing them, are aimed at restricting the permission capabilities of the website itself and/or its embedded `<iframe>` elements. Similar to the Content Security Policy, the Permissions Policy is “open by default” instead of “secure by default”; absence of the policy entails absence of protection. This approach aims to avoid breaking website functionality when introducing new policies. Notably, 0.28% of sites explicitly use the `*` wildcard policy, allowing the website and all embedded `<iframe>` elements (where no more restrictive `allow` attribute is present) to request any permission - though this is the default behavior when the Permissions Policy is not set.
 
 The Permissions Policy can also be defined individually for each embedded `<iframe>` through its `allow` attribute. For example, an `<iframe>` can be permitted to use the geolocation and camera permissions by setting the attribute as follows:
 
@@ -812,7 +818,7 @@ The Permissions Policy can also be defined individually for each embedded `<ifra
 <iframe src="https://example.com" allow="geolocation 'self'; camera *;"></iframe>
 ```
 
-Out of the 21.4 million `<iframe>` elements observed in the crawl, half included the `allow` attribute. This marks a significant increase compared to **even just the previous month**, when only 21% of `<iframe>` elements had the `allow` attribute - indicating that its usage has more than doubled in just one month. A plausible explanation for this rapid change is that one or several widely-used third-party services have propagated this update across their `<iframe>` elements. Given the ad-specific directives we now observe (displayed in the table below, row 1 and 3) - none of which were present in 2022 - it is likely that an ad service is responsible for this shift.
+Half of the 21.4 million `<iframe>` elements observed in the crawl included the `allow` attribute. This marks a significant increase compared to **even just the previous month**, when only 21% of `<iframe>` elements had the `allow` attribute - indicating that its usage has more than doubled in just one month. A plausible explanation for this rapid change is that one or several widely-used third-party services have propagated this update across their `<iframe>` elements. Given the ad-specific directives we now observe (displayed in the table below, row 1 and 3) - none of which were present in 2022 - it is likely that an ad service is responsible for this shift.
 
 <figure>
   <table>
@@ -883,9 +889,9 @@ Compared to 2022, the top 10 most common directives are now led by three newly i
 
 ### Iframe sandbox
 
-Embedding third-party websites within `<iframe>` elements always carries risks, though it might be necessary to enrich a web application's functionality. Website administrators should be aware that a rogue `<iframe>` can exploit several mechanisms to harm users, such as launching pop-ups or redirecting the top-level page to a malicious domain.
+Embedding third-party websites within `<iframe>` elements always carries risks, though enriching a web application's functionality might be necessary. Website administrators should be aware that a rogue `<iframe>` can exploit several mechanisms to harm users, such as launching pop-ups or redirecting the top-level page to a malicious domain.
 
-These risks can be curbed by employing the `sandbox` attribute on `<iframe>` elements. Doing this, the content loaded within is restricted to rules defined by the attribute, and can be used to prevent the embedded content from abusing capabilities. When provided with an empty string as value, the policy is strictest. However, this policy can be relaxed by adding specific directives, of which each has their own specific relaxation rules. For example, the following `<iframe>` would allow the embedded webpage to run scripts:
+These risks can be curbed using the `sandbox` attribute on `<iframe>` elements. Doing this, the content loaded within is restricted to rules defined by the attribute, and can be used to prevent the embedded content from abusing capabilities. When provided with an empty string as value, the policy is strictest. However, this policy can be relaxed by adding specific directives, of which each has its own particular relaxation rules. For example, the following `<iframe>` would allow the embedded webpage to run scripts:
 
 ```html
 <iframe src="https://example.com" sandbox="allow-scripts"></iframe>
@@ -903,7 +909,7 @@ The `sandbox` attribute was observed in 28.4% and 27.5% of `<iframe>` elements f
   )
 }}
 
-More than 98% of pages that have the `sandbox` attribute set in an iframe, use it to allow scripts in the embedded webpage, using the `allow-scripts` directive.
+More than 98% of pages with the `sandbox` attribute set in an iframe, use it to allow scripts in the embedded webpage, using the `allow-scripts` directive.
 
 ## Attack preventions
 
@@ -931,9 +937,9 @@ The strongest absolute risers since 2022 are `Strict-Transport-Security` (+5.3%)
 
 ### Preventing clickjacking with CSP and `X-Frame-Options`
 
-As discussed in Section [TODO: ref], one of the primary uses of the Content Security Policy (CSP) is to prevent clickjacking attacks. This is achieved through the `frame-ancestors` directive, which allows websites to specify which origins are permitted to embed their pages within a frame. As shown in Table [TODO: ref], this directive is commonly used to either completely prohibit embedding or restrict it to the same origin.
+As discussed in Section [TODO: ref], one of the primary uses of the Content Security Policy (CSP) is to prevent clickjacking attacks. This is achieved through the `frame-ancestors` directive, which allows websites to specify which origins are permitted to embed their pages within a frame. As shown in Table [TODO: ref], this directive is commonly used to either prohibit entirely embedding or restrict it to the same origin.
 
-Another measure against clickjacking is the [`X-Frame-Options` (XFO](https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Frame-Options)) header, though it provides less granular control compared to CSP. The XFO header can be set to `SAMEORIGIN`, allowing the page to be embedded only by other pages from the same origin, or `DENY`, which completely blocks any embedding of the page. As shown in the table below, most headers are configured to relax the policy by allowing same-origin websites to embed the page.
+Another measure against clickjacking is the [`X-Frame-Options` (XFO](https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Frame-Options)) header, though it provides less granular control compared to CSP. The XFO header can be set to `SAMEORIGIN`, allowing the page to be embedded only by other pages from the same origin, or `DENY`, which completely blocks any embedding of the page. The table below shows that most headers are configured to relax the policy by allowing same-origin websites to embed the page.
 
 <figure>
   <table>
@@ -964,9 +970,9 @@ Although deprecated, 0.6% of observed `X-Frame-Options` headers on desktop and 0
 
 ### Preventing attacks using Cross-Origin policies
 
-One of the core principles of the Web is the reuse and embedding of cross-origin resources. However, our security perspective on this practice has significantly shifted with the emergence of micro-architectural attacks like Spectre and Meltdown, and Cross-Site Leaks (<a hreflang="en" href="https://xsleaks.dev/">XS-Leaks</a>) that leverage side-channels to uncover potentially sensitive user information. These threats have created a growing need for mechanisms to control whether and how resources can be rendered by other websites, whilst ensuring better protection against these new exploits.
+One of the core principles of the Web is the reuse and embedding of cross-origin resources. However, our security perspective on this practice has significantly shifted with the emergence of micro-architectural attacks like Spectre and Meltdown, and Cross-Site Leaks (<a hreflang="en" href="https://xsleaks.dev/">XS-Leaks</a>) that leverage side-channels to uncover potentially sensitive user information. These threats have created a growing need for mechanisms to control whether and how other websites can render resources while ensuring better protection against these new exploits.
 
-This demand led to the introduction of several new security headers collectively known as *Cross-Origin* policies: `Cross-Origin-Resource-Policy` (CORP), `Cross-Origin-Embedder-Policy` (COEP) and `Cross-Origin-Opener-Policy` (COOP). These headers provide robust countermeasures against side-channel attacks by controlling how resources are shared and embedded across origins. Adoption of these policies has been steadily increasing, with the use of Cross-Origin-Opener-Policy nearly doubling each year for the past two years.
+This demand led to the introduction of several new security headers collectively known as *Cross-Origin* policies: `Cross-Origin-Resource-Policy` (CORP), `Cross-Origin-Embedder-Policy` (COEP) and `Cross-Origin-Opener-Policy` (COOP). These headers provide robust countermeasures against side-channel attacks by controlling how resources are shared and embedded across origins. Adoption of these policies has been steadily increasing, with the use of Cross-Origin-Opener-Policy nearly doubling yearly for the past two years.
 
 {{ figure_markup(
   image="cross-origin-headers-trend.png",
@@ -1014,7 +1020,7 @@ The [Cross Origin Embedder Policy](https://developer.mozilla.org/docs/Web/HTTP/H
   <figcaption>{{ figure_link(caption="Prevalence of COEP header values", sheets_gid="906872096", sql_file="coep_header_prevalence.sql") }}</figcaption>
 </figure>
 
-The majority of websites that set the `Cross-Origin-Embedder-Policy` header indicate that they do not require access to the powerful features mentioned above (`unsafe-none`). This behavior is also the default if the COEP header is absent, meaning that websites will automatically operate under restricted access to cross-origin resources unless explicitly configured otherwise.
+Most websites that set the `Cross-Origin-Embedder-Policy` header indicate that they do not require access to the powerful features mentioned above (`unsafe-none`). This behavior is also the default if the COEP header is absent, meaning that websites will automatically operate under restricted access to cross-origin resources unless explicitly configured otherwise.
 
 #### Cross Origin Resource Policy
 
@@ -1050,11 +1056,11 @@ Conversely, websites that serve resources can use the [`Cross-Origin-Resource-Po
   <figcaption>{{ figure_link(caption="Prevalence of CORP header values", sheets_gid="1177421176", sql_file="corp_header_prevalence.sql") }}</figcaption>
 </figure>
 
-The CORP header is primarily used to allow access to the served resource from any origin, with the `cross-origin` value being the most commonly set. In fewer cases, the header restricts access: less than 5% of websites limit resources to the same origin, and less than 4% restrict them to the same site.
+The CORP header is primarily used to access the served resource from any origin, with the `cross-origin` value being the most commonly set. In fewer cases, the header restricts access: less than 5% of websites limit resources to the same origin, and less than 4% restrict them to the same site.
 
 #### Cross Origin Opener Policy
 
-[Cross Origin Opener Policy](https://developer.mozilla.org/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) (COOP) helps control how other web pages can open and reference the protected page. COOP protection can be explicitly disabled with `unsafe-none`, which is also the default behavior in absence of the header. The `same-origin` value allows references from pages with the same origin and `same-origin-allow-popups` additionally allows references with windows or tabs. Similar to the Cross Origin Embedder Policy, features like the `SharedArrayBuffer` and `Performance.now()` are restricted unless COOP is configured as `same-origin`.
+[Cross Origin Opener Policy](https://developer.mozilla.org/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) (COOP) helps control how other web pages can open and reference the protected page. COOP protection can be explicitly disabled with `unsafe-none`, which is also the default behavior without the header. The `same-origin` value allows references from pages with the same origin and `same-origin-allow-popups` additionally allows references with windows or tabs. Similar to the Cross Origin Embedder Policy, features like the `SharedArrayBuffer` and `Performance.now()` are restricted unless COOP is configured as `same-origin`.
 
 <figure>
   <table>
@@ -1092,7 +1098,7 @@ Nearly half of all observed COOP headers employ the strictest setting, `same-ori
 
 The [`Clear-Site-Data` header](https://developer.mozilla.org/docs/Web/HTTP/Headers/Clear-Site-Data) allows websites to easily clear browsing data associated with them, including cookies, storage, and cache. This is particularly useful as a security measure when a user logs out, ensuring that authentication tokens and other sensitive information are removed and cannot be abused. The header's value specifies what types of data the website requests the browser to clear.
 
-Adoption of the `Clear-Site-Data` header remains limited; our observations indicate that only 2,071 hosts (0.02% of all hosts) use this header. However, this functionality is primarily useful on logout pages, which the crawler does not capture. To investigate logout pages, the crawler would need to be extended to detect and interact with account registration, login, and logout functionality – an undertaking that would require quite some effort. Some progress has already been made in this area by security and privacy researchers, such as automating logins to web pages [ref to <a hreflang="en" href="https://www.ndss-symposium.org/wp-content/uploads/2020/02/23008-paper.pdf">Shepherd: a Generic Approach to Automating Website Login</a>], and automating registering [ref to <a hreflang="en" href="https://dl.acm.org/doi/pdf/10.1145/3589334.3645709">Automating Website Registration for Studying GDPR Compliance</a>].
+Adoption of the `Clear-Site-Data` header remains limited; our observations indicate that only 2,071 hosts (0.02% of all hosts) use this header. However, this functionality is primarily useful on logout pages, which the crawler does not capture. The crawler would need to be extended to investigate logout pages to detect and interact with account registration, login, and logout functionality – an undertaking that would require quite some effort. Some progress has already been made in this area by security and privacy researchers, such as automating logins to web pages [ref to <a hreflang="en" href="https://www.ndss-symposium.org/wp-content/uploads/2020/02/23008-paper.pdf">Shepherd: a Generic Approach to Automating Website Login</a>], and automating registering [ref to <a hreflang="en" href="https://dl.acm.org/doi/pdf/10.1145/3589334.3645709">Automating Website Registration for Studying GDPR Compliance</a>].
 
 <figure>
   <table>
@@ -1159,7 +1165,7 @@ Adoption of the `Clear-Site-Data` header remains limited; our observations indic
   <figcaption>{{ figure_link(caption="Prevalence of `Clear-Site-Data` headers", sheets_gid="910609664", sql_file="clear-site-data_value_prevalence.sql") }}</figcaption>
 </figure>
 
-Current usage data shows that the `Clear-Site-Data header` is predominantly used to clear cache. It's important to note that the values in this header must be enclosed in quotation marks; for instance, `cache` is incorrect and should be written as `"cache"`. Interestingly, there has been significant improvement in adherence to this syntax rule: in 2022, 65% of desktop and 63% of mobile websites were found using the incorrect `cache` value. However, these numbers have now dropped to 22% and 23% for desktop and mobile, respectively.
+Current usage data shows that the `Clear-Site-Data header` is predominantly used to clear cache. It's important to note that the values in this header must be enclosed in quotation marks; for instance, `cache` is incorrect and should be written as `"cache"`. Interestingly, there has been significant improvement in adherence to this syntax rule: in 2022, 65% of desktop and 63% of mobile websites used the incorrect `cache` value. However, these numbers have now dropped to 22% and 23% for desktop and mobile, respectively.
 
 ### Preventing attacks using `<meta>`
 
@@ -1195,11 +1201,11 @@ Some security mechanisms on the web can be configured through `meta` tags in the
   <figcaption>{{ figure_link(caption="The percentage of hosts enabling different policies using a meta tag", sheets_gid="1466205888", sql_file="TODO.sql") }}</figcaption>
 </figure>
 
-Developers sometimes also try to enable other security features by using the `meta` tag, which is not allowed and will thus be ignored. Using the same example as in 2022, `4976` pages try to set the `X-Frame-Options` using a `meta` tag, which will be ignored by the browser. This is an absolute increase compared to 2022, but only because there were more than twice as many pages included in the data set. Relatively, there is a slight decrease from 0.04% to 0.03% on  mobile pages and 0.05% to 0.03% on desktop pages.
+Developers sometimes try to enable other security features by using the `meta` tag, which is not allowed and will thus be ignored. Using the same example as in 2022, `4976` pages try to set the `X-Frame-Options` using a `meta` tag, which will be ignored by the browser. This is an absolute increase compared to 2022, but only because there were more than twice as many pages included in the data set. Relatively, there is a slight decrease from 0.04% to 0.03% on  mobile pages and 0.05% to 0.03% on desktop pages.
 
 ### Web Cryptography API
 
-<a hreflang="en" href="https://www.w3.org/TR/WebCryptoAPI/">Web Cryptography API</a> is a JavaScript API for performing basic cryptographic operations on a website such as random number generation, hashing, signature generation and verification, and encryption and decryption.
+<a hreflang="en" href="https://www.w3.org/TR/WebCryptoAPI/">Web Cryptography API</a> is a JavaScript API for performing basic cryptographic operations on a website such as random number generation, hashing, signature generation, and verification, and encryption and decryption.
 
 <figure>
   <table>
@@ -1266,11 +1272,15 @@ Developers sometimes also try to enable other security features by using the `me
   <figcaption>{{ figure_link(caption="The usages of features of the Web Cryptography API", sheets_gid="527224984", sql_file="web_cryptography_api.sql") }}</figcaption>
 </figure>
 
-In comparison to the last Almanac, the CryptoGetRandomValues continued to drop and it did so at a much higher rate in the past two years, dropping down to 53%. Despite that drop, it clearly continues to be the most adopted feature, far ahead of the other features. After CryptoGeRandomValues, the next five most used features have become more widely adopted, rising from under 0.7% to adoption rates between 1.3% and 2%.
+Compared to the last Almanac, the CryptoGetRandomValues continued to drop at a much higher rate in the past two years, dropping to 53%. Despite that drop, it continues to be the most adopted feature, far ahead of the other features. After CryptoGeRandomValues, the following five most used features have become more widely adopted, rising from under 0.7% to adoption rates between 1.3% and 2%.
+
+Comment: Maybe name the trailing 5 features here so it becomes clearer with their associate adoption rate?
 
 ### Bot protection services
 
-Because bad bots remain a significant issue on the modern web, we see that the adoption of protections against bots has continued to rise. We observe another jump in adoption from 29% of desktop sites and 26% of mobile sites in 2022 to 33% and 32% respectively now. It seems that developers have invested in protecting more mobile websites, bringing the number of protected desktop and mobile sites closer together.
+Because bad bots remain a significant issue on the modern web, we see that the adoption of protections against bots has continued to rise. We observe another jump in adoption from 29% of desktop sites and 26% of mobile sites in 2022 to 33% and 32%, respectively, now. Developers seem to have invested in protecting more mobile websites, bringing the number of protected desktop and mobile sites closer together.
+
+Comment: Are these the "bad bots" from the introduction? If so, use coherent naming
 
 {{ figure_markup(
   image="bot-protection.png",
@@ -1282,13 +1292,15 @@ Because bad bots remain a significant issue on the modern web, we see that the a
   )
 }}
 
-reCAPTCHA remains the largest protection mechanism in use, but has seen a reduction in its use. In comparison, Cloudflare Bot Management has seen an increase in adoption and remains the second largest protection in use.
+reCAPTCHA remains the largest protection mechanism in use but has seen a reduction in use. In comparison, Cloudflare Bot Management has seen an increase in adoption and remains the second largest protection mechanism in use.
 
 ### HTML sanitization
 
-A new addition to major browsers are the `setHTMLUnsafe` and `ParseHTMLUnsafe` APIs, that allow a developer to <a hreflang="en" href="https://developer.chrome.com/blog/new-in-chrome-124#dsd">use a declarative shadow DOM from JavaScript</a>. When a developer uses custom HTML components from JavaScript that include a definition for a declarative shadow DOM using `<template shadowrootmode="open">...</template>`, using `innerHTML` to place this component on the page will not work as expected. This can be prevented by using the alternative `setHTMLUnsafe` that makes sure the declarative shadow DOM is taken into account.
+A new addition to major browsers are the `setHTMLUnsafe` and `ParseHTMLUnsafe` APIs, which allow a developer to <a hreflang="en" href="https://developer.chrome.com/blog/new-in-chrome-124#dsd">use a declarative shadow DOM from JavaScript</a>. When a developer uses custom HTML components from JavaScript that includes a definition for a declarative shadow DOM using `<template shadowrootmode="open">...</template>`, using `innerHTML` to place this component on the page will not work as expected. This can be prevented by using the alternative `setHTMLUnsafe` that ensures the declarative shadow DOM is considered.
 
-When using these APIs, developers must be careful to only pass already safe values to these APIs because as the names imply they are unsafe, meaning they will not sanitize input given, which may lead to XSS attacks.
+When using these APIs, developers must be careful to only pass already safe values to them because, as the names imply, they are unsafe. This means they will not sanitize input given, which may lead to XSS attacks.
+
+Comment: Which name implies that they are unsafe? 
 
 <figure>
   <table>
@@ -1315,20 +1327,23 @@ When using these APIs, developers must be careful to only pass already safe valu
   <figcaption>{{ figure_link(caption="The number of pages using HTML sanitization APIs", sheets_gid="351726153", sql_file="html_sanitization_usage.sql") }}</figcaption>
 </figure>
 
-These APIs are new, so low adoption is to be expected. We found only 6 pages in total using `parseHTMLUnsafe` and 2 using `setHTMLUnsafe`, which is an extremely small number relative to the number of pages visited.
+These APIs are new, so low adoption is to be expected. We found only six pages in total using `parseHTMLUnsafe` and two using `setHTMLUnsafe`, which is a minimal number relative to the number of pages visited.
 
 ## Drivers of security mechanism adoption
 
 Web developers can have many reasons to adopt more security practices. The three primary ones are:
 
-- Societal: in certain countries there is more security-oriented education, or there may be local laws that take more punitive measures in case of a data breach or other cybersecurity-related incident
-- Technological: depending on the technology stack in use, it might be easier to adopt security features. Some features might not be supported and would require additional effort to implement. Adding to that, certain vendors of software might enable security features by default in their products or hosted solutions
+Comment: Maybe weaken this to "In our opinion (or according to this analysis) the three primary reasons are:"
+
+- Societal: in certain countries, there is more security-oriented education, or there may be local laws that take more punitive measures in case of a data breach or other cybersecurity-related incident
+- Technological: It might be easier to adopt security features depending on the technology stack in use. Some features might not be supported and would require additional effort to implement. Adding to that, certain vendors of software might enable security features by default in their products or hosted solutions
 - Popularity: widely popular websites may face more targeted attacks than a website that is less known, but may also attract more security researchers or white hat hackers to look at their products, helping the site implement more security features correctly
 
 ### Location of website
 
-The location where a website  is hosted or its developers are based can often have impacts on adoption of security features. The security awareness among developers will play a role, as they cannot implement features that they aren't aware of. Additionally, local laws can sometimes mandate the adoption of certain security practices.
+The location where a website  is hosted, or its developers are based can often impact the adoption of security features. Developers' security awareness will play a role, as they cannot implement features that they aren't aware of. Additionally, local laws can sometimes mandate the adoption of specific security practices.
 
+Comment: Maybe give an example from the report where adoption rate was low, but it would make sense to adopt it e.g., `___Secure-`prefixes from Session Fixiation
 {{ figure_markup(
   image="https-by-country.png",
   caption="The adoption of HTTPS per country; top and bottom 10 countries.",
@@ -1341,7 +1356,7 @@ The location where a website  is hosted or its developers are based can often ha
   )
 }}
 
-New Zealand continues to lead in the adoption of HTTPS websites, however, many countries are following the adoption extremely closely as the top 9 countries all reach adoption of over 99%! Also the trailing 10 countries have all seen a rise in HTTPS adoption by 9% to 10%, with all countries now reaching adoption above 90%! This shows that almost all countries continue their efforts in making HTTPS the default mode.
+New Zealand continues to lead in the adoption of HTTPS websites. However, many countries are following the adoption extremely closely, as the top 9 countries all reach adoption of over 99%! Also, the trailing 10 countries have all seen a rise in HTTPS adoption by 9% to 10%, with all countries now reaching adoption above 90%! This shows that almost all countries continue their efforts to make HTTPS the default mode.
 
 {{ figure_markup(
   image="csp-xfo-by-country.png",
@@ -1355,7 +1370,7 @@ New Zealand continues to lead in the adoption of HTTPS websites, however, many c
   )
 }}
 
-We see that the top 5 countries in terms of CSP adoption have CSP enabled on almost a quarter of their websites. The trailing countries have also seen an increase in the use of CSP, albeit a more moderate one. In general the adoption of both XFO and CSP remains very varied among countries, and the gap between CSP and XFO remains equally large if not larger compared to 2022, reaching up to 15%.
+The top 5 countries in terms of CSP adoption have CSP enabled on almost a quarter of their websites. The trailing countries have also seen an increase in the use of CSP, albeit a more moderate one. In general, the adoption of both XFO and CSP remains very varied among countries, and the gap between CSP and XFO remains equally large, if not larger, compared to 2022, reaching up to 15%.
 
 ### Technology stack
 
@@ -1411,13 +1426,13 @@ Many sites on the current web are made using large CMS systems. These may enable
   <figcaption>{{ figure_link(caption="Security features in use by selected CMS systems", sheets_gid="TODO", sql_file="TODO.sql") }}</figcaption>
 </figure>
 
-It's clear that many major CMS's that are hosted by the providing company and where only content is created by users, such as Wix, SquareSpace, Google Sites, Medium and Substack, roll out security protections widely, showing adoption of HSTS, X-Content-Type-Options or X-XSS-Protection in the upper 99% adoption rates. Google sites continues to be the CMS that has the highest number of security features in place.
+It's clear that many major CMS's that are hosted by the providing company and where only content is created by users, such as Wix, SquareSpace, Google Sites, Medium and Substack, roll out security protections widely, showing adoption of HSTS, X-Content-Type-Options or X-XSS-Protection in the upper 99% adoption rates. Google sites continues to be the CMS with the highest number of security features.
 
-For CMS's that can be easily self-hosted such as Plone or Wagtail, it is more difficult to control the rollout of features because the CMS creators have no way to influence the update behavior of users. Websites hosted using these CMS's could be online without change in security features for a long time.
+For CMSs that can be easily self-hosted, such as Plone or Wagtail, it is more difficult to control the rollout of features because the CMS creators have no way to influence users' update behavior. Websites hosted using these CMSs could be online for a long time without changes in security features.
 
 ### Website popularity
 
-Large websites often have a high number of visitors and registered users, of which they might store highly sensitive data. This means they likely attract more attackers and are thus more prone to targeted attacks. Additionally, when an attack succeeds, these websites could be fined or sued, costing them money and/or reputational damage. Therefore, it can be expected that popular websites invest more in their security to secure their users.
+Large websites often have many visitors and registered users, of which they might store highly sensitive data. This means they likely attract more attackers and are thus more prone to targeted attacks. Additionally, when an attack succeeds, these websites could be fined or sued, costing them money and reputational damage. Therefore, it can be expected that popular websites invest more in their security to secure users.
 
 {{ figure_markup(
   image="security-headeers-by-rank.png",
@@ -1431,11 +1446,11 @@ Large websites often have a high number of visitors and registered users, of whi
   )
 }}
 
-We find that most headers, including the most popular ones: `X-Frame-Options`, `Strict-Transport-Security`, `X-Content-Type-Options`, `X-XSS-Protection` and `Content-Security-Policy`, always have higher adoptions for more popular sites on mobile. 64.3% of the top 1000 sites on mobile have HSTS enabled. This means the top 1000 websites are more invested in only sending traffic over HTTPS. Less popular sites can still have HTTPS enabled, but don't add a <code>Strict-Transport-Security</code> header as often, which may lead users to repeatedly visit the site over plain HTTP.
+We find that most headers, including the most popular ones: `X-Frame-Options`, `Strict-Transport-Security`, `X-Content-Type-Options`, `X-XSS-Protection` and `Content-Security-Policy`, always have higher adoptions for more popular sites on mobile. 64.3% of the top 1000 sites on mobile have HSTS enabled. This means the top 1000 websites are more invested in only sending traffic over HTTPS. Less popular sites can still have HTTPS enabled, but don't add a <code>Strict-Transport-Security</code> header as often, which may lead users to visit the site over plain HTTP repeatedly.
 
 ### Website category
 
-In some industries, developers might keep more up to date with security features they may be able to use to better secure their sites.
+In some industries, developers might keep more up to date with security features they can use to better secure their sites.
 
 {{ figure_markup(
   image="avg-security-headers-per-site.png",
@@ -1449,11 +1464,12 @@ In some industries, developers might keep more up to date with security features
   )
 }}
 
-We find that there is a subtle difference in the average number of security headers used depending on the categorization of the website. This number does not directly show the overall security of these sites, but might give an insight into which categories of industry are inclined to implement more security features. We see that shopping and finance lead the list, both industries that deal with sensitive information and high amounts of monetary transactions, which may be reasons to invest in security. At the bottom of the list we see news and travel & transportation. Both are categories in which a lot of sites will host content relating to their respective topics, but may not handle much sensitive data compared to sites in the top categories on the list. In general, this trend seems to be weak.
+Depending on the website's categorization, there is a subtle difference in the average number of security headers used. This number does not directly show the overall security of these sites, but it might give insight into which industry categories are inclined to implement more security features. We see that shopping and finance lead the list, both industries that deal with sensitive information and high amounts of monetary transactions, which may be reasons to invest in security. At the bottom of the list we see news and travel & transportation. Both are categories in which many sites will host content relating to their respective topics but may only handle a little sensitive data compared to sites in the top categories on the list. In general, this trend is weak.
+
 
 ## Malpractices on the Web
 
-Although cryptocurrencies remain popular, the number of cryptominers on the web has continued to decrease over the past two years, with no notable spikes in usage anymore as was described in the 2022 edition of the Web Almanac.
+Although cryptocurrencies remain popular, the number of crypto miners on the web has continued to decrease over the past two years, with no notable spikes in usage, as described in the 2022 edition of the Web Almanac.
 
 {{ figure_markup(
   image="cryptominers-trend.png",
@@ -1523,17 +1539,17 @@ Due to their similar naming and purpose, the COEP, CORP and COOP are sometimes d
   <figcaption>{{ figure_link(caption="Prevalence of invalid COEP header values", sheets_gid="906872096", sql_file="coep_header_prevalence.sql") }}</figcaption>
 </figure>
 
-For instance, around 3% of observed COEP headers mistakenly use the unsupported value `same-origin`. When this occurs, browsers revert to the default behavior of allowing any cross-origin resource to be embedded, while restricting access to features like `SharedArrayBuffer` and unthrottled use of `Performance.now()`. This fallback does not inherently reduce security unless the site administrator intended to set `same-origin` for CORP or COOP, where it is a valid value.
+For instance, around 3% of observed COEP headers mistakenly use the unsupported value `same-origin`. When this occurs, browsers revert to the default behavior of allowing any cross-origin resource to be embedded while restricting access to features like `SharedArrayBuffer` and unthrottled use of `Performance.now()`. This fallback does not inherently reduce security unless the site administrator intended to set `same-origin` for CORP or COOP, which is a valid value.
 
-Additionally, only 0.26% of observed COOP headers were set to `cross-origin` and just 0.02% of CORP headers used the value `unsafe-none`. Even if these values were mistakenly applied to the wrong headers, they represent the most permissive policies available. Therefore, these misconfigurations are not considered to decrease security.
+Additionally, only 0.26% of observed COOP headers were set to `cross-origin` and just 0.02% of CORP headers used the value `unsafe-none`. Even if these values were mistakenly applied to the wrong headers, they represent the most permissive policies. Therefore, these misconfigurations are not considered to decrease security.
 
-In addition to cases where valid values intended for one header were mistakenly used for another, we identified several minor instances of syntactical errors across various headers. However, each of these errors accounted for less than 1% of the total observed headers, suggesting that while such mistakes exist, they are relatively infrequent.
+In addition to cases where valid values intended for one header were mistakenly used for another, we identified several minor syntactical errors across various headers. However, these errors accounted for less than 1% of the total observed headers, suggesting they could be more frequent when such mistakes exist.
 
 ### `Timing-Allow-Origin` wildcards
 
 Timing-Allow-Origin is a response header that allows a server to specify a list of origins that are allowed to see values of attributes obtained through features of the [Resource Timing API](https://developer.mozilla.org/docs/Web/API/Performance_API/Resource_timing). This means that an origin listed in this header can access detailed timestamps regarding the connection that is being made to the server, such as the time at the start of the TCP connection, start of the request and start of the response.
 
-When CORS is in effect, many of these timings (including the ones listed above) are returned as 0 to prevent cross-origin leaks. By listing an origin in the Timing-Allow-Origin header this restriction is lifted.
+When CORS is in effect, many of these timings (including those listed above) are returned as 0 to prevent cross-origin leaks. By listing an origin in the Timing-Allow-Origin header this restriction is lifted.
 
 Allowing different origins access to this information should be done with care, because using this information the site loading the resource can potentially execute timing attacks. In our analysis we find that out of all responses with a Timing-Allow-Origin header present, 82.5% percent of Timing-Allow-Origin headers contain the wildcard value, thereby allowing any origin to access the fine grained timing information.
 
@@ -1628,7 +1644,7 @@ The most commonly exposed header is the `Server` header, which reveals the softw
   <figcaption>{{ figure_link(caption="Most prevalent `X-Powered-By` header values with specific framework version", sheets_gid="895726728", sql_file="TODO.sql") }}</figcaption>
 </figure>
 
-Examining the most common values for the `Server` and `X-Powered-By` headers, we found that especially the `X-Powered-By` header specifies versions, with the top 10 values revealing specific PHP versions. For both desktop and mobile, at least 25% of `X-Powered-By` headers contain this information. This header is likely enabled by default on the observed web servers. While it can be useful for analytics, the header's benefits are limited, and thus it warrants to be disabled by default. However, disabling this header alone does not address the security risks of outdated servers; regularly updating the server remains crucial.
+Examining the most common values for the `Server` and `X-Powered-By` headers, we found that the `X-Powered-By` header specifies versions, with the top 10 values revealing specific PHP versions. At least 25% of `X-Powered-By` headers contain this information for both desktop and mobile. This header is likely enabled by default on the observed web servers. While it can be helpful for analytics, the header's benefits are limited, and thus it warrants to be disabled by default. However, disabling this header alone does not address the security risks of outdated servers; regularly updating the server remains crucial.
 
 ### Missing suppression of `Server-Timing` header
 
@@ -1652,7 +1668,8 @@ We find that server-timing is used by 6.4% of internet hosts. Over 60% of those
 
 ### `security.txt`
 
-<a hreflang="en" href="https://datatracker.ietf.org/doc/html/rfc9116"><code>security.txt</code></a> is a file format that can be used by websites to communicate information regarding vulnerability reporting in a standard way. Website developers can provide contact details, PGP key, policy, and other information in this file. White hat hackers and penetration testers can then use this information to report potential vulnerabilities they find during their security analyses. Our analysis shows that 1% of websites currently use a security.txt file, showing that they are actively working on improving their site's security.
+<a hreflang="en" href="https://datatracker.ietf.org/doc/html/rfc9116"><code>security.txt</code></a> is a file format that websites can use to communicate information regarding vulnerability disclosure in a standard way. Website developers can provide contact details, PGP key, policy, and other information in this file. White hat hackers and penetration testers can then use this information to report potential vulnerabilities they find during their security analyses. Our analysis shows that 1% of websites currently use a security.txt file, showing that they are actively working on improving their site's security.
+
 
 {{ figure_markup(
   image="security-text-usage.png",
@@ -1664,11 +1681,11 @@ We find that server-timing is used by 6.4% of internet hosts. Over 60% of those
   )
 }}
 
-Most of the security.txt files include contact information (88.8%) and a preferred language (56.0%). This year, 47.9% of security.txt files define an expiry, which is a giant jump compared to the 2022 2.3%. This can largely be explained by an update to the methodology, as the analysis only includes text files this year instead of simply all responses with code 200, thereby significantly lowering the false positive rate. It does mean that less than half of the sites that use security.txt are following the standard that (among other requirements) defines the expires property as required. Interestingly, only 39% of the security.txt files define a policy, which is the space developers can indicate what steps a white hat hacker that found a vulnerability should take to report the vulnerability.
+Most of the security.txt files include contact information (88.8%) and a preferred language (56.0%). This year, 47.9% of security.txt files define an expiry, a giant jump compared to the 2.3% measured in 2022. An update to the methodology can largely explain this, as the analysis only includes text files this year instead of simply all responses with code 200, thereby significantly lowering the false positive rate. It means that less than half of the sites that use security.txt follow the standard that (among other requirements) defines the "expires" property as required. Interestingly, only 39% of the security.txt files define a policy, which is the developers can indicate what steps a white hat hacker that found a vulnerability should take to report the vulnerability.
 
 ### `change-password`
 
-The <a hreflang="en" href="https://w3c.github.io/webappsec-change-password-url/"><code>change-password</code></a> well-known URI is a W3C specification in the editor's draft state, which is the same state it was in in 2022. This specific well-known URI was suggested as a way for users and softwares to easily identify the link to be used for changing passwords, which means external resources can easily link to that page.
+The <a hreflang="en" href="https://w3c.github.io/webappsec-change-password-url/"><code>change-password</code></a> well-known URI is a W3C specification in the editor's draft state, which is the same state it was in in 2022. This specific well-known URI was suggested as a way for users and software to quickly identify the link to be used for changing passwords, which means external resources can easily link to that page.
 
 {{ figure_markup(
   image="change-password-usage.png",
@@ -1734,8 +1751,10 @@ By refraining from listing indirect sellers, website owners help prevent unautho
 
 Overall, this year's analysis highlights promising trends in web security. HTTPS adoption is nearing 100%, with Let's Encrypt leading the charge by issuing over half of all certificates, making secure connections more accessible. Although the overall adoption of security policies remains limited, it's encouraging to see steady progress with key security headers. Secure-by-default measures, like the `SameSite=Lax` attribute for cookies, are driving website administrators to at least consider important security practices.
 
-However, attention must also be given to poor configurations or even misconfigurations that can weaken these protections. Issues like invalid directives or poorly defined policies can prevent browsers from enforcing security effectively. For instance, 82.5% of all `Timing-Allow-Origin` headers allow any origin to access detailed timing information, which could be abused in timing attacks. Similarly, only 1% of websites enable security issue reporting via `security.txt`, and many still expose their PHP version, an unnecessary risk that can reveal potential vulnerabilities. On the bright side, most of these issues represent low-hanging fruit—addressing them typically requires minimal changes to website implementations.
+However, attention must also be given to poor configurations or misconfigurations that can weaken these protections. Issues like invalid directives or poorly defined policies can prevent browsers from enforcing security effectively. For instance, 82.5% of all `Timing-Allow-Origin` headers allow any origin to access detailed timing information, which could be abused in timing attacks. Similarly, only 1% of websites enable security issue reporting via `security.txt`, and many still expose their PHP version, an unnecessary risk that can reveal potential vulnerabilities. On the bright side, most of these issues represent low-hanging fruit—addressing them typically requires minimal changes to website implementations.
+
+As the number of security policies grows, policymakers must focus on reducing complexity. Reducing implementation friction will make adoption easier and minimize common mistakes. For example, introducing cross-origin headers designed to prevent cross-site leaks and microarchitectural attacks has already confused, with directives from one policy mistakenly applied to another.
 
-As the number of security policies grows, it's essential for policymakers to focus on reducing complexity. Reducing implementation friction will make adoption easier and minimize common mistakes. For example, the introduction of cross-origin headers designed to prevent cross-site leaks and microarchitectural attacks has already caused confusion, with directives from one policy mistakenly applied to another.
+Although new attacks will undoubtedly emerge in the future, demanding new protections, the security community's openness plays a crucial role in developing sound solutions. As we've seen, the adoption of new measures may take time, but progress is being made. Each step  forward brings us closer to a more resilient and secure Web for everyone.
 
-Although new attacks will undoubtedly emerge in the future, demanding new protections, the openness of the security community plays a crucial role in developing sound solutions. As we've seen, the adoption of new measures may take time, but progress is being made. Each step  forward brings us closer to a more resilient and secure Web for everyone.
+Comment: Overall we emphasize "what developers/administrators do/don't do". We could add something about the tools developers use and that they should also make it easier for developers to make the right decision, especially in the complex and ever-changing landscape of the web and its security policies. Sometimes the more secure way is to deprecate insecure standards with the risk that certain applications do not work properly anymore (see TLS 1.1/1.0 deprecation). But maybe this point is too complex to address here.