The Alexa Top Websites (https://www.alexa.com/topsites) can be used to monitor the popularity trend of a website and compare the popularity of different websites (WikiPedia).
In order to gauge the security posture of the internet as a whole mapping information from the Alexa Top Sites is useful. AlexaCheck.py assists by building a PostgreSQL database that stores header information from each website, the first listed resolved IP address, HTTP response code, and MX records. The header information also includes cookies that are passed during an initial connection. This approach was used to examine security of the Alexa Top Websites in a research paper CookiExt: Patching the Browser Against Session Hijacking Attacks.
AlexaCheck.py can also accept a list of other domains you want to check for forced TLS encryption and inspect cookies and other header information.
Specific HTTP Security Risks
The Alexa Check database allows analysis of a particular website for security. For example if a site does not enforce encryption for user connections. This can be identified by a site returning a 200 OK response code for an insecure connection such as http://domain.com reveals that the site does not strictly force transport layer security (SSL/TLS). This means the site is susceptible to a MiTM (man in the middle) attack. If these sites offer user accounts and use the PHP session cookies as its only means to maintain state of the user’s device a session hijacking attack is possible.
Mitigating MiTM attacks can be done by forwarding any requests for http:// to https:// port 443. Of course you must have a certificate for your domain issued by a certificate authority but those are available for free from The Electronic Frontier Foundation’s (EFF) Let’s Encrypt (https://letsencrypt.org/), which can be installed easily using certbot, and set to automatically renew with a cron. In fact, using certbot will also automatically configure the webserver to forward http:// traffic to https://, although you will also want to forward any direct requests for the IP address itself to the domain.
Create TLS Certificate Linux Apache Servers with Let’s Encrypt Certbot:
Other Security Headers
Example of a HTTP Header with Some Security Headers Set
 The HTTPS-Only Standard https://https.cio.gov/
 How widely used are security based HTTP response headers? https://scotthelme.co.uk/how-widely-used-are-security-based-http-response-headers/
 Hardening your HTTP response headers https://scotthelme.co.uk/hardening-your-http-response-headers/
 Want to Encrypt All The Things? Firefox has you covered with HTTPS-Only Mode! https://scotthelme.co.uk/tag/https-only-mode/
 Security Headers Updates https://scotthelme.co.uk/security-headers-updates/
 CookiExt: Patching the Browser Against Session Hijacking Attacks, Journal of Computer Security (2015)