THE BENCHMARK — CANADIAN MUNICIPAL WEBSITES
See where your municipality ranks.
The Practice runs the same passive-reconnaissance routine against a set of Canadian municipal websites and publishes the result. No marketing claims, no vendor endorsements — just the public surface, graded.
FETCHED 2026-05-05 03:48:51 UTC · 31 / 36 scans complete
01
Victoria
victoria.ca
88/100
B
robots.txt names 2 sensitive paths
02
Brampton
brampton.ca
82/100
B
HSTS max-age is 0 days — short for a municipal site
03
Surrey
surrey.ca
82/100
B
HSTS max-age is 0 days — short for a municipal site
04
Burlington
burlington.ca
80/100
B
No Content-Security-Policy
05
London
london.ca
80/100
B
No published privacy policy on standard paths
06
Calgary
calgary.ca
78/100
C
No published accessibility statement on standard paths
07
Stratford
stratford.ca
74/100
C
No Content-Security-Policy
08
Edmonton
edmonton.ca
72/100
C
SPF policy is permissive (~all)
09
Saint John
saintjohn.ca
64/100
D
No Content-Security-Policy
10
Ottawa
ottawa.ca
63/100
D
No HSTS — HTTPS is not enforced for returning visitors
11
Hamilton
hamilton.ca
62/100
D
hamilton.ca registration expires in 26 days
12
Richmond
richmond.ca
58/100
F
No HSTS — HTTPS is not enforced for returning visitors
13
Vancouver
vancouver.ca
58/100
F
No HSTS — HTTPS is not enforced for returning visitors
14
Winnipeg
winnipeg.ca
58/100
F
No Content-Security-Policy
15
Mississauga
mississauga.ca
58/100
F
No HSTS — HTTPS is not enforced for returning visitors
16
Kingston
cityofkingston.ca
55/100
F
No Content-Security-Policy
17
Kitchener
kitchener.ca
54/100
F
Session-replay scripts on a municipal site (Microsoft Clarity)
18
Burnaby
burnaby.ca
52/100
F
No Content-Security-Policy
19
Fredericton
fredericton.ca
52/100
F
No Content-Security-Policy
20
Halifax
halifax.ca
52/100
F
No HSTS — HTTPS is not enforced for returning visitors
21
Montréal
montreal.ca
52/100
F
No Content-Security-Policy
22
Yellowknife
yellowknife.ca
52/100
F
No Content-Security-Policy
23
Charlottetown
charlottetown.ca
50/100
F
No Content-Security-Policy
24
Oakville
oakville.ca
49/100
F
DMARC published with p=none — monitoring only
25
Saskatoon
saskatoon.ca
49/100
F
Session-replay scripts on a municipal site (Microsoft Clarity)
26
Vaughan
vaughan.ca
49/100
F
No Content-Security-Policy
27
St. John's
stjohns.ca
48/100
F
stjohns.ca registration expires in 8 days
28
Gatineau
gatineau.ca
45/100
F
gatineau.ca registration expires in 47 days
29
Regina
regina.ca
43/100
F
No Content-Security-Policy
30
Whitehorse
whitehorse.ca
33/100
F
No HSTS — HTTPS is not enforced for returning visitors
31
Wolfville
wolfville.ca
23/100
F
No DMARC policy on wolfville.ca
32
Kelowna
kelowna.ca
—
—
Scan failed: This operation was aborted
33
Laval
laval.ca
—
—
Scan failed: This operation was aborted
34
Markham
markham.ca
—
—
Scan failed: This operation was aborted
35
Toronto
toronto.ca
—
—
Scan failed: This operation was aborted
36
Truro
truro.ca
—
—
Scan failed: This operation was aborted
Each municipality is scanned by the public passive-reconnaissance routine at /recon. The routine fetches one homepage, audits response headers, checks well-known WordPress files, queries DNS, RDAP, and the Internet Archive, and probes the standard open-data subdomains. Nothing about the scan is intrusive; the same routine is freely available for every reader to run on their own municipality.
The scoring is uniform: 100 minus penalties for each finding (critical 25, high 15, medium 8, low 3, info 0). The grade follows: A 90–100, B 80–89, C 70–79, D 60–69, F below 60. The dataset is regenerated periodically; each row carries the timestamp of its scan.
Inclusion is editorial. The benchmark seeds the 30 most-populous Canadian municipalities plus six smaller anchors that appear in the procurement-bylaw sample on /thresholds. New jurisdictions can be added by request; corrections to specific findings should reach the principal directly.
Dataset generated 2026-05-05 03:48:51 UTC. 31 of 36 scans completed cleanly; the remainder timed out or returned non-2xx — those rows render as "scan failed" rather than being silently dropped.
NEXT STEP
Yours grades poorly? Mine doesn’t have to.
A custom municipal website rebuilt as static infrastructure, sized below your jurisdiction’s direct-award ceiling. The principal answers the phone.