Your Small Business Website Is Probably Leaking Data

Run your business website through securityheaders.com right now. It takes three seconds. Most small business sites in Saltaire, Shipley and Bradford score an F.

That F means your site is missing the HTTP security headers that tell browsers to activate their built-in defences. No Content Security Policy. No HSTS. No X-Frame-Options. The browser has tools to block clickjacking, cross-site scripting and data leaking — but they only work if the server tells them to. If your web designer didn't set the headers, those tools are turned off.

43% of cyber attacks target small businesses, and the average cost of a data breach for a UK small business is £8,170 according to the DCMS Cyber Security Breaches Survey 2024. For a café turning over £150,000, that is two months of net profit wiped out by something a five-line config file would have prevented.

What “leaking data” actually means

When we say your website is leaking data, we don't mean someone has broken in and stolen a database. We mean the site is passively giving away information it shouldn't be:

• Referrer headers: When a visitor clicks a link on your site to go somewhere else, the browser tells the destination where they came from. Without Referrer-Policy set, this can include query strings, internal page paths, and session tokens.
• Third-party tracking scripts: Google Analytics, Facebook Pixel, HotJar, Intercom, live chat widgets. Every one of these loads JavaScript from someone else's server onto your page, with full access to what your customers type and click. Most small business owners don't know these scripts are there.
• Unencrypted form data: If your contact form doesn't use HTTPS properly — or worse, sends data via email in plain text — anyone on the same Wi-Fi network can read it.
• Browser permissions left open: Without a Permissions-Policy header, the browser assumes your site might want access to the camera, microphone and geolocation. That is attack surface you don't need.

The WordPress problem

This is not a WordPress-bashing exercise. WordPress powers 40% of the internet and it does that job well for many use cases. But for a small local business, the risk-reward calculation is lopsided.

The average WordPress site has 20 to 30 plugins installed. Each plugin is maintained by a different developer, updated on a different schedule, and has its own set of vulnerabilities. When a plugin stops getting updates — and most do within two years — the vulnerability stays open. A brute-force script hits /wp-admin on every WordPress site on the internet, automatically, every single day. It costs the attacker nothing to try.

A salon in Saltaire does not need a content management system that powers enterprise news sites. It needs four pages, a gallery, a contact form and a booking link. A static site with no login page, no database, and no plugins has an attack surface close to zero.

What security headers should your site have?

Six headers, all free, all set once in a server config and never touched again:

1. Strict-Transport-Security (HSTS): Forces HTTPS. Tells the browser to never load the site over plain HTTP, even if someone types http:// manually. Prevents downgrade attacks.
2. Content-Security-Policy (CSP): Controls which scripts, styles and resources the browser is allowed to load. Blocks injected malicious scripts from running on your page.
3. X-Frame-Options: Prevents your site from being embedded in an iframe on someone else's site. Blocks clickjacking attacks where a fake page sits on top of your real page.
4. X-Content-Type-Options: Stops the browser from guessing file types. Prevents an attacker from disguising a malicious script as an image.
5. Referrer-Policy: Controls how much information your site sends to other sites when a visitor clicks an outbound link. Set to strict-origin-when-cross-origin at minimum.
6. Permissions-Policy: Disables browser features your site doesn't use — camera, microphone, geolocation. Reduces the attack surface to only what you need.

How to check your own site in 30 seconds

1. Go to securityheaders.com.
2. Type in your website address.
3. Press scan.
4. You will get a grade from A+ to F.

If you score anything below a B, your site is missing defences that should be standard. Every Pacavita site scores A or A+ on this test. Not because we paid for a premium feature — because we set six headers in the server config. It takes less time than making a coffee.

What about payments?

If your site takes money — deposits, gift vouchers, full checkout — the payment setup matters more than any other part of the security picture.

Every Pacavita site uses Stripe Elements with PCI SAQ-A scope. What that means in plain English: the customer types their card number into a Stripe-hosted input field embedded on your page. The card number goes directly from the customer's browser to Stripe. It never touches your server. It never touches our server. There is no database storing card numbers. The smallest possible scope for PCI compliance.

If your web designer set up payments by giving you a PayPal button or a bare Stripe link, the security is probably fine — but check how the card data flows. If it passes through your server at any point, you have a PCI compliance problem that could cost you your ability to process payments.

What to do right now

1. Scan your site at securityheaders.com. If you score below B, you have work to do.
2. Ask your web designer: “What security headers are set on my site?” If they don't know what that means, that tells you everything.
3. Check how many WordPress plugins are installed. If it's above 10, ask which ones are still being maintained.
4. Check when your last backup was tested — not when it was taken, when someone verified it actually restores.
5. If your site takes payments, ask: “Where does the card number go?” If the answer isn't “directly to Stripe or the payment processor, never to our server”, you have a problem.

If any of this concerns you, we can run a free quick check on your existing site and tell you exactly what's wrong. No pitch, no obligation. WhatsApp or email and we'll scan it while you wait. See our full security approach or get in touch.