We Scanned 50 Small Business Websites — Here's What We Found

The Experiment

We wanted to answer a simple question: how secure are typical small business websites?

Not Fortune 500 companies with dedicated security teams. Not tech startups with DevSecOps pipelines. Regular businesses — law firms, accounting practices, healthcare clinics, manufacturing companies, restaurants, and local service providers.

We ran our automated security scanner against 50 small business websites across a range of industries. The scanner checks three categories: SSL/TLS certificate health, HTTP security headers, and DNS email authentication (SPF, DMARC, DKIM).

These aren't exotic attack vectors. They're the fundamentals — the equivalent of checking whether the front door is locked, the alarm is set, and the security cameras are recording.

Here's what we found.

The Headlines

• 78% were missing at least one critical security header
• 62% had no Content-Security-Policy — leaving them vulnerable to cross-site scripting attacks
• 54% were missing HSTS — allowing potential downgrade attacks from HTTPS to HTTP
• 44% had no DMARC record — meaning anyone could send email impersonating their domain
• 36% had no SPF record or used a permissive soft-fail policy
• 28% exposed server version information through response headers
• 8% had SSL certificates expiring within 30 days with no apparent renewal automation

The average site was missing 4 out of 7 recommended security headers.

What These Findings Mean

Let's translate these from technical jargon to business risk:

Missing Content-Security-Policy (62% of sites)

CSP tells the browser which scripts are allowed to execute on your page. Without it, an attacker who finds any injection point — a vulnerable plugin, an outdated form handler, a compromised third-party script — can execute arbitrary JavaScript in your visitors' browsers.

That JavaScript can steal session cookies, redirect users to phishing pages, inject cryptocurrency miners, or capture form inputs including passwords and credit card numbers.

Risk level: Medium to High, depending on what your website does. If you have login forms, payment processing, or collect any user data, this is a real exposure.

Fix time: 30-60 minutes to implement a basic policy. Start with Content-Security-Policy: default-src 'self'; script-src 'self' and expand as needed.

Missing Strict-Transport-Security (54% of sites)

HSTS tells browsers to always use HTTPS when connecting to your site. Without it, an attacker on the same network (coffee shop WiFi, hotel network, compromised router) can intercept the initial HTTP request before the redirect to HTTPS and perform a man-in-the-middle attack.

Risk level: Medium. Particularly concerning for sites with login pages or sites accessed from public networks.

Fix time: 5 minutes. Add Strict-Transport-Security: max-age=31536000; includeSubDomains to your server configuration.

Missing DMARC (44% of sites)

Without DMARC, there's no policy telling email servers what to do when someone sends email pretending to be your domain. An attacker can send emails that appear to come from billing@yourcompany.com or ceo@yourcompany.com — and there's nothing in the email infrastructure to stop it.

This is how business email compromise works. An attacker sends an invoice from what looks like your company's email address. Your client pays it. The money goes to the attacker.

Risk level: High. Business email compromise is a multi-billion dollar problem annually, and missing DMARC is the open door.

Fix time: 15 minutes to add a basic DMARC record. Start with v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com to monitor, then move to p=reject once you've confirmed legitimate email sources are covered.

Server Information Disclosure (28% of sites)

Headers like Server: Apache/2.4.41 or X-Powered-By: PHP/7.4 tell attackers exactly what software you're running. Combined with public vulnerability databases, this makes targeted attacks trivial.

Risk level: Low individually, but it reduces the effort required for a targeted attack.

Fix time: 5 minutes. ServerTokens Prod in Apache, server_tokens off in Nginx, or app.disable('x-powered-by') in Express.

The Bright Spots

It wasn't all bad. Some encouraging findings:

• 92% had valid SSL certificates — the push toward universal HTTPS has worked
• 88% successfully redirected HTTP to HTTPS — though without HSTS, this redirect can be intercepted
• Most sites using modern hosting platforms (Squarespace, Wix, Shopify) had better security headers than self-hosted sites — platform defaults matter

The takeaway: if you're on a managed platform, you're probably in better shape than you think. If you're self-hosting or using a traditional web host, you almost certainly have gaps.

Industry Breakdown

Some industries consistently performed better than others:

Best performers: Tech companies and SaaS businesses (unsurprisingly), followed by financial services. These industries tend to have technical leadership that prioritizes security.

Worst performers: Legal firms, healthcare practices, and local service businesses. Not because they don't care — but because security configuration isn't something their web developer or marketing agency typically handles.

This is the gap. The businesses with the most sensitive client data often have the weakest web security posture.

Why This Matters for Your Business

These findings aren't theoretical vulnerabilities. They're practical exposures that affect real business outcomes:

• Cyber insurance applications now ask about security headers and email authentication. Missing them can increase premiums or result in denied coverage.
• Enterprise clients run vendor security assessments. Missing basic security controls can disqualify you from B2B relationships.
• Browser warnings for sites with certificate issues drive away customers. Chrome doesn't give second chances.
• Email deliverability suffers without SPF and DMARC. Your marketing emails may be landing in spam folders without you knowing.

What To Do

The good news is that every finding in this study can be fixed in less than a day. Most take less than an hour. Here's the priority order:

1. Add DMARC and SPF records — protect your domain from email impersonation
2. Add HSTS — ensure every connection uses HTTPS
3. Add Content-Security-Policy — prevent script injection attacks
4. Remove server version headers — stop advertising your software stack
5. Add remaining security headers — X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy

Scan Your Own Site

Want to know how your website measures up? We run the same checks as part of our security assessments. Schedule a free consultation and we'll walk you through your results — no obligation, no sales pitch. Just a clear picture of where you stand.