TL;DR
While 100% of analyzed PEG stations have HTTPS enabled, deeper security layers are universally absent. Zero stations implement HSTS, CSP, or X-Frame-Options headers. One in four (25.4%) serve mixed HTTP/HTTPS content. And 8.8% display browser security warnings due to invalid SSL certificates. This isn’t about checking compliance boxes. When residents visit your site for emergency information and see “Connection Not Secure,” you’ve failed a civic trust test. This brief outlines the security gaps affecting community broadcasters and the path to technical sovereignty.
100% of PEG stations have HTTPS, but 0% implement security headers. The security paradox leaves civic infrastructure exposed.
A Public, Educational, and Governmental (PEG) station is an official voice of a municipality. When a resident visits your site to watch a city council vote or check emergency alerts, they’re extending trust to a public institution. That trust is fragile. A single browser warning can shatter it.
Blue Astral’s 2025 PEG Digital Readiness Study, analyzing 410 community broadcasters, reveals that while basic encryption is universal, the security infrastructure that protects against modern threats is almost entirely missing.
The Security Paradox: HTTPS Everywhere, Protection Nowhere
The good news: every analyzed station (100%) has HTTPS enabled. The sector has achieved the baseline.
The problem: that’s where security ends.
Our audit found that zero stations, not one of the 410 analyzed, implement the three critical security headers that protect against common web attacks:
| Security Header | Implementation Rate | What It Protects Against |
|---|---|---|
| HSTS (HTTP Strict Transport Security) | 0% | Downgrade attacks, SSL stripping |
| CSP (Content Security Policy) | 0% | Cross-site scripting (XSS) |
| X-Frame-Options | 0% | Clickjacking via iframe embeds |
This is a sector-wide vulnerability. Not a gap. Not a weakness. A complete absence of protection.
The Seven Trust Gaps
Blue Astral’s audit identified seven critical security and platform vulnerabilities affecting PEG stations:
1. The SSL Certificate Crisis (8.8%)
Thirty-six stations (8.8%) have invalid SSL certificates. When residents visit these sites, they see browser warnings: “Your connection is not private” or “This site is not secure.”
For a municipal information source, this is catastrophic. Citizens who distrust your connection will distrust your content.
2. The Mixed Content Problem (25.4%)
Over one hundred stations (25.4%, or 104 of 410) serve mixed HTTP/HTTPS content. This means that while the page loads securely, some images, scripts, or embedded content load over unencrypted connections.
Modern browsers flag this with warning icons. More critically, mixed content can be intercepted and modified by attackers, potentially injecting malicious code into an otherwise secure page.
3. The Security Header Void (0%)
As noted above, zero stations implement HSTS, CSP, or X-Frame-Options. Without these headers:
- No HSTS: Attackers can force browsers to connect over HTTP instead of HTTPS, intercepting traffic
- No CSP: Your site is vulnerable to XSS attacks where malicious scripts execute in your visitors’ browsers
- No X-Frame-Options: Your content can be embedded in malicious sites via iframes, enabling clickjacking attacks
These headers are configuration changes, not infrastructure overhauls. They can be implemented in an afternoon. Yet across 410 stations, none have done so.
4. The Legacy Platform Risk (27.3%)
Over one-quarter of stations (27.3%, or 112 of 410) run on platforms our automated tools could not identify. This typically indicates:
- Custom-built or proprietary systems from a decade ago
- Heavily modified legacy platforms without vendor support
- Outdated technology stacks no longer receiving security patches
These 112 stations face elevated risk for security vulnerabilities, vendor lock-in, and costly migrations. When your CMS hasn’t received a security update in three years, every day online is borrowed time.
5. The Analytics Blindspot (53.4%)
Over half of stations (53.4%) lack analytics tools entirely. Without analytics, you cannot detect unusual traffic patterns that might indicate a security incident. You have no visibility into:
- Sudden traffic spikes from suspicious sources
- Pages being accessed in unusual patterns
- Bot activity probing for vulnerabilities
Security monitoring starts with knowing what normal traffic looks like.
6. The Compression and Caching Void (0%)
Zero stations have server compression or cache control headers configured. While this is primarily a performance issue, it also has security implications:
- Without proper caching headers, browsers may cache sensitive content inappropriately
- Missing compression often indicates minimal server configuration attention overall
If basic performance optimization hasn’t been addressed, security hardening almost certainly hasn’t either.
7. The Cookie Configuration Gap
The audit found no cookie security issues in the analyzed stations, but this may reflect minimal use of cookies rather than proper configuration. Stations implementing user accounts, newsletter signups, or member areas must ensure:
- Secure flag on all cookies (HTTPS only)
- HttpOnly flag to prevent JavaScript access
- SameSite attributes to prevent CSRF attacks
The Real-World Stakes
This isn’t abstract security theater. Community broadcasters face concrete threats:
Ransomware: Municipal targets are increasingly attractive to attackers. A ransomed video archive of decades of city council meetings is leverage that works. CISA’s Stop Ransomware initiative highlights the persistent threats facing state and local government entities.
Reputational Damage: A single “Hacked by…” defacement of your homepage during an election or emergency erodes years of institutional trust. Your site is an official municipal voice; its compromise is a government failure.
Legal Exposure: ADA compliance failures already create litigation risk. Security failures that expose citizen data (newsletter signups, email lists, event registrations) compound that exposure.
Service Disruption: When your site goes down during a local emergency, flood, or wildfire, residents lose a critical information source. The 27.3% on unknown platforms are most vulnerable to unexpected downtime.
The Path to Technical Sovereignty
The encouraging reality: most security gaps are configuration issues, not infrastructure crises.
Quick Wins (Days, Not Months)
Fix Invalid SSL Certificates: The 8.8% with certificate errors can resolve them immediately. Modern hosting providers offer free certificates via Let’s Encrypt. This should be job one.
Add Security Headers: HSTS, CSP, and X-Frame-Options can be added via server configuration or plugins. WordPress security plugins can implement these in minutes. For the 40.7% on WordPress, this is low-hanging fruit.
Resolve Mixed Content: Audit your pages for HTTP resources loading on HTTPS pages. Update image URLs, script sources, and embedded content to HTTPS.
Strategic Investments (Months)
Platform Migration for Legacy Systems: The 27.3% on unknown platforms face a harder path. But continuing on unsupported systems is not a viable long-term strategy. Modern platforms (WordPress, Squarespace, Drupal) offer security updates, community support, and plugin ecosystems. Legacy platforms also hurt search visibility; see The Invisible Town Square for how platform limitations affect discoverability.
Implement Analytics: The 53.4% without analytics should deploy Google Analytics or privacy-focused alternatives. Beyond security monitoring, analytics demonstrate community engagement to funders. See our Budget Defense Playbook for how analytics data supports funding justification.
The Security Audit Framework
Blue Astral recommends a quarterly security review covering:
- SSL Certificate Validity: Check expiration dates, ensure auto-renewal is configured
- Security Header Scan: Use securityheaders.com to grade your implementation
- Mixed Content Check: Browser developer tools flag mixed content on page load
- Platform Updates: Ensure CMS, plugins, and themes are current
- Backup Verification: Confirm backups exist, are recent, and can be restored
The Trust Equation
A PEG station’s technical infrastructure is civic infrastructure. Your security posture is as much a part of your mission as your programming schedule.
When residents see “Not Secure” warnings, they don’t think “IT problem.” They think “I can’t trust this.” And they leave.
The data is clear: while HTTPS adoption is universal, the security layers that protect against modern threats are universally absent. This is a solvable problem. The fixes are known. The tools exist. What’s needed is prioritization.
Is Your Station Secure?
Blue Astral offers a complimentary Security & Compliance Audit for PEG stations. We’ll analyze your SSL status, security headers, platform vulnerabilities, and compliance posture, giving you a prioritized roadmap for hardening your station.
Request Your Free Security Audit
Sources
Primary Research: Blue Astral 2025 PEG Digital Readiness Study, a technical audit of 410 community broadcasters.
Security Statistics from Blue Astral Audit:
- HTTPS enabled: 100% (410/410 stations)
- Valid SSL certificates: 91.2% (374 stations)
- Invalid SSL certificates: 8.8% (36 stations)
- HSTS implementation: 0%
- CSP implementation: 0%
- X-Frame-Options implementation: 0%
- Mixed content issues: 25.4% (104 stations)
- Legacy/Unknown platforms: 27.3% (112 stations)
- Analytics tools installed: 46.6% (191 stations), meaning 53.4% lack analytics
External Sources:
