What I Learned from Scanning Dozens of Small Government Websites (and Why the Same Bugs Keep Coming)

I built an open-source scanner and pointed it at small U.S. government websites. The same five security mistakes kept showing up: weak HTTPS, no CSP, leaky test files, insecure cookies and outdated JS – plus a simple baseline to fix them.