For law firms, this matters more than it does for most businesses. Law firm websites collect sensitive client information through contact forms, intake questionnaires, and consultation booking tools. A site without proper security headers leaves its visitors exposed to attacks that a few lines of server configuration would prevent. Beyond the technical risk, security posture signals competence. Clients evaluating a firm expect the same attention to detail online that they expect in the courtroom. The data confirmed both of our hypotheses, and the gap is wider than we anticipated.

Methodology

We collected HTTP response headers from 303 law firm websites across multiple practice areas and geographic markets in the United States. For each site we sent an HTTP GET request and recorded the full set of response headers returned by the server.

We scored each site on 7 security headers recommended by OWASP and major browser vendors.

  1. HTTPS is the site served over a secure TLS connection?
  2. Strict-Transport-Security (HSTS) does the server force all future connections to use HTTPS?
  3. Content-Security-Policy (CSP) does the server restrict which scripts, styles, and resources the browser can load?
  4. X-Frame-Options does the server prevent the site from being embedded in iframes on other domains?
  5. X-Content-Type-Options does the server prevent MIME-type sniffing attacks?
  6. Permissions-Policy does the server restrict access to browser features like camera, microphone, and geolocation?
  7. Referrer-Policy does the server control what information is sent in the Referer header when visitors click links?

Each header present earned 1 point, yielding a score from 0 to 7. We also recorded the legacy X-XSS-Protection header separately (deprecated by modern browsers but still sent by some servers). All data was collected in a single point-in-time crawl.

The numbers at a glance

Headline figures across 303 sites
MetricValue
HTTPS adoption100%
Average score (of 7)2.8
Perfect 7 of 7 score1.7%
Score just 1 of 743.9%

HTTPS adoption

All 303 sites in our sample serve their pages over HTTPS. This is the one area where the legal industry has reached full compliance. Browser warnings, free certificate authorities like Let's Encrypt, and managed hosting platforms that bundle SSL by default have collectively eliminated HTTP-only law firm websites from the top of search results.

This is genuinely good news. Five years ago, HTTPS adoption among small business websites hovered around 70 percent. The combination of browser enforcement and search ranking signals has driven adoption to 100 percent across our entire sample. The encryption problem is solved.

The security header problem, however, is not.

Security header adoption

Beyond HTTPS, adoption drops sharply. No individual security header reaches even 40 percent adoption across the 303 sites.

Security header adoption and what each does
HeaderSitesAdoptionWhat it does
Strict-Transport-Security11939.3%Forces HTTPS on all future visits; prevents SSL stripping attacks
X-Content-Type-Options11939.3%Prevents browsers from guessing file types, blocking MIME confusion attacks
X-Frame-Options10334.0%Blocks other sites from embedding your pages in iframes (clickjacking defense)
Referrer-Policy9029.7%Controls what URL data is shared when visitors click outbound links
Content-Security-Policy6220.5%Restricts which scripts, styles, and resources the browser will load
Permissions-Policy6120.1%Limits access to device features like camera, microphone, and geolocation
X-XSS-Protection (legacy)3611.9%Deprecated browser XSS filter; replaced by CSP in modern browsers

The two most impactful headers, Content-Security-Policy and Permissions-Policy, are also the least adopted. CSP is the single most effective defense against cross-site scripting (XSS), the most common web vulnerability, yet only 1 in 5 law firm websites uses it.

HSTS and X-Content-Type-Options tie for the highest adoption at 39.3 percent, but even these are present on fewer than 2 in 5 sites. The simplest header to implement, X-Content-Type-Options (a single line, nosniff), is still missing from 60.7 percent of law firm websites.

Security score distribution

The score distribution reveals a stark pattern. Sites do not spread evenly across the 0 to 7 range. Instead, they cluster at the extremes.

Sites by security header score
ScoreSitesPercentage
000%
113343.9%
24113.5%
33210.6%
4113.6%
5196.3%
66220.5%
751.7%

Zero sites scored 0, because every site has HTTPS. But 133 sites, 43.9 percent of the sample, scored exactly 1. These are sites where HTTPS is the only security measure in place. No HSTS, no CSP, no frame protection, no content-type enforcement. The browser gets a secure connection and then zero guidance on how to handle the content.

The bimodal pattern

The most striking finding in this data is not the average score. It is the shape of the distribution. Law firm websites do not gradually improve from 1 to 7. They split into two distinct groups.

Group 1: the HTTPS-only majority (43.9 percent at score 1). These sites have HTTPS because their hosting provider or CMS configured it automatically. No one has touched the server configuration beyond that. The firm likely does not know security headers exist.

Group 2: the security-conscious minority (20.5 percent at score 6). These sites have nearly every header in place. The jump from the 3.6 percent at score 4 to the 20.5 percent at score 6 is remarkable. It suggests that once a firm or its developer decides to implement security headers, they tend to implement most of them at once rather than adding them one at a time.

The middle of the distribution is thin. Only 3.6 percent of sites score exactly 4. This is not a gradual improvement curve. It is a binary: either security headers are part of the site's configuration or they are not.

This bimodal pattern has practical implications. If your firm scores 1, the path forward is not to add one header at a time. The right approach is to configure all six missing headers in a single deployment. Our data shows that the firms who invest in security headers tend to implement them comprehensively.

X-Frame-Options configuration

Among the 103 sites that set X-Frame-Options, 102 use SAMEORIGIN (allowing the site to frame itself but no one else) and 1 uses DENY (blocking all framing). SAMEORIGIN is the correct choice for most law firms, since it permits internal embedding (such as preview tools) while blocking external clickjacking attempts.

Referrer-Policy values

Among the 90 sites with a Referrer-Policy header, the most common values are:

  • same-origin (43 sites) sends referrer data only to same-domain requests. The most privacy-protective common option.
  • no-referrer-when-downgrade (36 sites) sends full referrer data on HTTPS-to-HTTPS navigations but strips it on HTTPS-to-HTTP. This is the browser default behavior.
  • strict-origin-when-cross-origin (9 sites) sends only the origin, not the full path, to cross-origin requests. The best balance of privacy and analytics compatibility.

HSTS configuration

Of the 119 sites with HSTS enabled, only 52 (17.2 percent of all sites) include the includeSubDomains directive. Without it, subdomains remain vulnerable to SSL stripping. The median max-age value is 31,536,000 seconds (one year), which is the recommended minimum for HSTS preload eligibility.

Limitations

  • Response headers only. We measured server-sent HTTP headers. Some headers can also be set via HTML meta tags (notably CSP and Referrer-Policy), which our scan would not detect.
  • Point-in-time snapshot. All data was collected in a single point-in-time crawl. Server configurations change, and CDN or hosting platform updates could shift these numbers.
  • Binary scoring. We scored headers as present or absent. We did not evaluate the quality or strictness of each header's value (a permissive CSP like default-src * scores the same as a strict one).
  • CDN influence. Many law firm websites sit behind CDNs (Cloudflare, AWS CloudFront, Sucuri) that may add or strip headers. Our data reflects what the end user's browser actually receives, regardless of origin.
  • Sample composition. Our 303 sites come from Google search results for law-firm-related queries. Firms visible in search may have different hosting practices than firms that rank poorly.

For our own clients, the architecture closes this gap by construction. A Nitrosite is a set of static files behind a managed edge, where the full set of recommended security headers ships by default rather than waiting on a server configuration no one remembers to touch. The data above is the reason; static-first, edge-deployed delivery is the response.