Key Findings
- HTTPS is universal (100%), but security headers are not. The average law firm website implements fewer than 3 of the 7 recommended security headers.
- 43.9% of sites score just 1 out of 7 -- meaning they have HTTPS and essentially nothing else protecting visitors from client-side attacks.
- Only 5 sites (1.7%) achieve a perfect 7/7. The vast majority of law firms leave basic browser-level protections unconfigured.
- The distribution is bimodal: 43.9% cluster at score 1 while 20.5% cluster at score 6. Firms either invest in security headers or they ignore them entirely.
- Content-Security-Policy (20.5%) and Permissions-Policy (20.1%) are the least adopted headers, despite being two of the most impactful for preventing cross-site scripting and tracking abuse.
About This Research
HTTPS has become the baseline of web security. Browsers flag non-HTTPS sites as "Not Secure," SSL certificates are free through Let's Encrypt, and most hosting platforms enable HTTPS by default. The industry has, rightly, moved past this debate.
But HTTPS only encrypts data in transit. It does nothing to prevent cross-site scripting, clickjacking, MIME-type confusion, or unauthorized iframe embedding -- all attacks that happen after the page loads in the browser. Security headers are the second layer of defense. They are server-side instructions that tell browsers how to handle the site's content, and they cost nothing to implement.
For law firms, this matters more than it does for most businesses. Law firm websites collect sensitive client information through contact forms, intake questionnaires, and consultation booking tools. A site without proper security headers is leaving its visitors exposed to attacks that a few lines of server configuration could prevent. Beyond the technical risk, security posture signals competence. Clients evaluating a firm expect the same attention to detail online that they expect in the courtroom.
We wanted to measure the gap between HTTPS adoption (which we expected to be universal) and security header adoption (which we expected to be poor). The data confirmed both hypotheses -- and the gap is wider than we anticipated.
Methodology
We collected HTTP response headers from 303 law firm websites across multiple practice areas and geographic markets in the United States. For each site, we sent an HTTP GET request and recorded the full set of response headers returned by the server.
We scored each site on 7 security headers recommended by OWASP and major browser vendors:
- HTTPS -- Is the site served over a secure TLS connection?
- Strict-Transport-Security (HSTS) -- Does the server force all future connections to use HTTPS?
- Content-Security-Policy (CSP) -- Does the server restrict which scripts, styles, and resources the browser can load?
- X-Frame-Options -- Does the server prevent the site from being embedded in iframes on other domains?
- X-Content-Type-Options -- Does the server prevent MIME-type sniffing attacks?
- Permissions-Policy -- Does the server restrict access to browser features like camera, microphone, and geolocation?
- Referrer-Policy -- Does the server control what information is sent in the Referer header when visitors click links?
Each header present earned 1 point, yielding a score from 0 to 7. We also recorded the legacy X-XSS-Protection header separately (deprecated by modern browsers but still sent by some servers). All data was collected on March 2, 2026.
The Numbers at a Glance
HTTPS Adoption
All 303 sites in our sample serve their pages over HTTPS. This is the one area where the legal industry has reached full compliance. Browser warnings, free certificate authorities like Let's Encrypt, and managed hosting platforms that bundle SSL by default have collectively eliminated HTTP-only law firm websites from the top of search results.
This is genuinely good news. Five years ago, HTTPS adoption among small business websites hovered around 70%. The combination of browser enforcement and search engine ranking signals has driven adoption to 100% across our entire sample. The encryption problem is solved.
The security header problem, however, is not.
Security Header Adoption
Beyond HTTPS, adoption drops sharply. No individual security header reaches even 40% adoption across the 303 sites.
| Header | Sites | Adoption | What It Does |
|---|---|---|---|
| Strict-Transport-Security | 119 | 39.3% | Forces HTTPS on all future visits; prevents SSL stripping attacks |
| X-Content-Type-Options | 119 | 39.3% | Prevents browsers from guessing file types, blocking MIME confusion attacks |
| X-Frame-Options | 103 | 34.0% | Blocks other sites from embedding your pages in iframes (clickjacking defense) |
| Referrer-Policy | 90 | 29.7% | Controls what URL data is shared when visitors click outbound links |
| Content-Security-Policy | 62 | 20.5% | Restricts which scripts, styles, and resources the browser will load |
| Permissions-Policy | 61 | 20.1% | Limits access to device features like camera, microphone, and geolocation |
| X-XSS-Protection (legacy) | 36 | 11.9% | Deprecated browser XSS filter; replaced by CSP in modern browsers |
The two most impactful headers -- Content-Security-Policy and Permissions-Policy -- are also the least adopted. CSP is the single most effective defense against cross-site scripting (XSS), the most common web vulnerability. Yet only 1 in 5 law firm websites uses it.
HSTS and X-Content-Type-Options tie for the highest adoption at 39.3%, but even these are present on fewer than 2 in 5 sites. The simplest header to implement, X-Content-Type-Options (a single line: nosniff), is still missing from 60.7% of law firm websites.
Security Score Distribution
The score distribution reveals a stark pattern. Sites do not spread evenly across the 0-to-7 range. Instead, they cluster at the extremes.
| Score | Sites | Percentage |
|---|---|---|
| 0 | 0 | 0% |
| 1 | 133 | 43.9% |
| 2 | 41 | 13.5% |
| 3 | 32 | 10.6% |
| 4 | 11 | 3.6% |
| 5 | 19 | 6.3% |
| 6 | 62 | 20.5% |
| 7 | 5 | 1.7% |
Zero sites scored 0 (because every site has HTTPS). But 133 sites -- 43.9% of the sample -- scored exactly 1. These are sites where HTTPS is the only security measure in place. No HSTS, no CSP, no frame protection, no content-type enforcement. The browser gets a secure connection and then zero guidance on how to handle the content.
The Bimodal Pattern
The most striking finding in this data is not the average score. It is the shape of the distribution. Law firm websites do not gradually improve from 1 to 7. They split into two distinct groups.
Group 1: The HTTPS-only majority (43.9% at score 1). These sites have HTTPS because their hosting provider or CMS configured it automatically. No one has touched the server configuration beyond that. The firm likely does not know security headers exist.
Group 2: The security-conscious minority (20.5% at score 6). These sites have nearly every header in place. The jump from the 3.6% at score 4 to the 20.5% at score 6 is remarkable. It suggests that once a firm (or its developer) decides to implement security headers, they tend to implement most of them at once rather than adding them one at a time.
The middle of the distribution is thin. Only 3.6% of sites score exactly 4. This is not a gradual improvement curve. It is a binary: either security headers are part of the site's configuration or they are not.
This bimodal pattern has practical implications. If your firm scores 1, the path forward is not to add one header at a time. The right approach is to configure all six missing headers in a single deployment. Our data shows that the firms who invest in security headers tend to implement them comprehensively.
X-Frame-Options configuration
Among the 103 sites that set X-Frame-Options, 102 use SAMEORIGIN (allowing the site to frame itself but no one else) and 1 uses DENY (blocking all framing). SAMEORIGIN is the correct choice for most law firms, since it allows internal embedding (like preview tools) while blocking external clickjacking attempts.
Referrer-Policy values
Among the 90 sites with a Referrer-Policy header, the most common values are:
- same-origin (43 sites) -- Sends referrer data only to same-domain requests. The most privacy-protective common option.
- no-referrer-when-downgrade (36 sites) -- Sends full referrer data on HTTPS-to-HTTPS navigations but strips it on HTTPS-to-HTTP. This is the browser default behavior.
- strict-origin-when-cross-origin (9 sites) -- Sends only the origin (not the full path) to cross-origin requests. The best balance of privacy and analytics compatibility.
HSTS configuration
Of the 119 sites with HSTS enabled, only 52 (17.2% of all sites) include the includeSubDomains directive. Without it, subdomains remain vulnerable to SSL stripping. The median max-age value is 31,536,000 seconds (one year), which is the recommended minimum for HSTS preload eligibility.
Limitations
- Response headers only: We measured server-sent HTTP headers. Some headers can also be set via HTML meta tags (notably CSP and Referrer-Policy), which our scan would not detect.
- Point-in-time snapshot: All data was collected on March 2, 2026. Server configurations change, and CDN or hosting platform updates could shift these numbers.
- Binary scoring: We scored headers as present or absent. We did not evaluate the quality or strictness of each header's value (e.g., a permissive CSP like
default-src *scores the same as a strict one). - CDN influence: Many law firm websites sit behind CDNs (Cloudflare, AWS CloudFront, Sucuri) that may add or strip headers. Our data reflects what the end user's browser actually receives, regardless of origin.
- Sample composition: Our 303 sites come from Google search results for law-firm-related queries. Firms visible in search may have different hosting practices than firms that rank poorly.