What is canva.com's NIS2 security grade?

Based on 7 publicly-observable checks (HTTP security headers, DMARC, DNSSEC), canva.com scores 2/7, grade F on SaaSFort's public signal scale. This is a snapshot of public signals measured on 2026-06-20, not a full pentest.

Does canva.com pass NIS2 Article 21 external security checks?

canva.com passes 2 of 7 checked public security signals. 5 checks fail: HSTS (Strict-Transport-Security), X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, Referrer-Policy. NIS2 Article 21 requires essential and important entities to implement appropriate technical and organisational measures including these controls.

How can I check my own domain against the same criteria?

Run the free SaaSFort scan at saasfort.com/scan. It runs 60 checks (not just 7) against your domain in under 60 seconds and maps each finding to the NIS2 Article 21 control and ISO 27001 Annex A control it corresponds to. No account needed.

Public signal snapshot

Canva (canva.com) security grade: F

Design platform

2/7 public security signals pass. Measured 2026-06-20. HTTP headers, DMARC, DNSSEC only.

Need your own domain's full 66-check report?

This page shows 7 public signals for canva.com. The €39 audit pack runs 66 checks and produces the PDF your auditor or enterprise buyer accepts. One-time, no account.

€39 Audit Pack Free scan (60s)

Check	NIS2 control	Result
HSTS (Strict-Transport-Security)	NIS2 Art. 21(2)(h)	FAIL
X-Content-Type-Options	NIS2 Art. 21(2)(h)	FAIL
X-Frame-Options	NIS2 Art. 21(2)(h)	FAIL
Content-Security-Policy	NIS2 Art. 21(2)(h)	FAIL
Referrer-Policy	NIS2 Art. 21(2)(h)	FAIL
DMARC policy (reject)	NIS2 Art. 21(2)(b)	PASS
DNSSEC	NIS2 Art. 21(2)(h)	PASS

About this snapshot

This page shows 7 publicly-observable external signals for canva.com: HTTP security headers returned on a public GET request, DMARC DNS TXT policy, and DNSSEC DS record. It is a thin public snapshot, not a penetration test or a full NIS2 compliance assessment. Run the full 60-check SaaSFort scan on your own domain to get the complete picture.

Get the full 66-check report for your domain

66 checks across NIS2 Article 21, ISO 27001 Annex A and BSI controls. A-F grade. Dated PDF your auditor accepts. €39 one-time, no subscription, no account.

€39 Audit Pack Free scan (60s)

Embed the security grade badge

Show canva.com's public grade on your own site. The badge image updates automatically when the grade changes. No account, no JavaScript.

Live preview. Served from /api/badge/canva.com

<a href="https://saasfort.com/grade/canva.com" rel="noopener">
  <img src="https://saasfort.com/api/badge/canva.com"
       alt="canva.com security grade"
       width="120" height="36">
</a>

Frequently asked questions

What is canva.com's NIS2 security grade?: Based on 7 publicly-observable checks (HTTP security headers, DMARC, DNSSEC), canva.com scores 2/7, grade F on SaaSFort's public signal scale. This is a snapshot of public signals measured on 2026-06-20, not a full pentest.
Does canva.com pass NIS2 Article 21 external security checks?: canva.com passes 2 of 7 checked public security signals. 5 checks fail: HSTS (Strict-Transport-Security), X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, Referrer-Policy. NIS2 Article 21 requires essential and important entities to implement appropriate technical and organisational measures including these controls.
How can I check my own domain against the same criteria?: Run the free SaaSFort scan at saasfort.com/scan. It runs 60 checks (not just 7) against your domain in under 60 seconds and maps each finding to the NIS2 Article 21 control and ISO 27001 Annex A control it corresponds to. No account needed.

See all public grade snapshots in the public grade index, or explore security scan use cases for your own domain.