A deal was slipping away from a client of mine, and she could not understand why. A buyer had gone to her website to fill out the contact form, and the browser threw up a full-page warning: “Your connection is not private.” Red triangle, scary wording, a button you have to click to proceed anyway. The buyer did not proceed. He emailed her instead to ask if her company had been hacked. Nothing had been hacked. Her security certificate had simply expired the week before, and nobody noticed, because the people who run the business almost never look at their own site through a stranger’s eyes.

That is the thing I want to talk about. Your public website and your email domain are quietly broadcasting a surprising amount about how to attack you, and you cannot see it from the inside. An attacker can. So can a customer who gets spooked. The good news is that almost all of it is cheap to fix once you know it is there.

What anyone on the internet can already see

You do not need special access to learn a lot about a company’s web presence. Everything below is visible to any person, or any program, that simply visits your site or looks up your domain.

• Your certificate, the thing that puts the padlock in the address bar and the “https” in front of your address. If it is missing, expired, or misconfigured, the browser warns every visitor in big letters that your site is not safe.
• Your security headers, short instructions your site sends the browser about how to behave. Missing ones break nothing visibly, but they tell a knowledgeable attacker that nobody has been minding the store.
• Anything you left exposed: an admin login sitting at a predictable address, a staging copy of the site you forgot to take down, a directory full of listed files.
• Your DNS, the public phone book that maps your domain to servers. It can quietly reveal which services you use and where things live.
• Version banners, where your web software announces its own name and exact version to anyone who asks. That is the same as taping a note to your front door listing the brand and model of your lock.

None of that is advanced. It is the digital equivalent of walking around a building and noting which windows are unlatched. People who do this for a living do not need to break in to start. You hand them the floor plan for free.

“We are too small for anyone to bother” is exactly backwards here

I hear this constantly, and the logic feels sound: you are a twelve-person company, so why would a hacker pick you? The answer is that no human is picking you. The scanning is automated and indiscriminate, programs crawling enormous ranges of the internet every hour, knocking on doors at random and recording which ones are unlatched. They are not looking for you. They are looking for any site with an expired certificate, a known-vulnerable version, or an admin page left open, then sorting the results by how easy the target is. Being small does not make you invisible. It usually just means fewer people are watching the doors, which moves you up the easy list, not down it. I wrote about that myth at length in We’re Too Small to Be a Target, and the web version is starker, because here a machine found you, ranked you, and queued you up while you slept.

Why a clean front door is a business decision, not a tech chore

It is tempting to file all of this under “ask the web guy,” but the consequences land squarely on the business. A “Not Secure” warning in a buyer’s browser kills trust at the exact moment you are trying to earn it, the way it did for my client. An expired certificate or a compromised site can take you offline during your busiest week. And a site that has clearly been left to drift is the same first impression as a storefront with a cracked window and last year’s flyer in the door. It tells a careful customer that you might run the rest of the operation the same way.

Flip it around and a clean public footprint becomes a quiet advantage. The padlock shows up, the forms work, the site loads fast, and you have made yourself a harder, less attractive target, so the automated scanners move along to someone slower. This is the same point I make in Compliance Is Not Security: the goal is not a checkbox, it is being genuinely harder to hit than the next option, and on the public web that bar is lower than you would hope.

What to actually do

• Force HTTPS with a valid, auto-renewing certificate. Every visitor should land on the secure version of your site, and the certificate should renew itself automatically so it never quietly expires again. Most modern hosting offers this for free; the only real failure is forgetting to turn it on.
• Add the basic security headers. Turn on HSTS, which tells browsers to only ever connect to you securely, and add a content security policy, which limits what is allowed to run on your pages and blocks a lot of common attacks. You do not have to hand-write these; a generator can build them for you in a few minutes.
• Hide your version banners. Tell your web software to stop announcing its exact name and version. It is a small configuration change that removes a shopping list from the attacker’s view.
• Lock down and rate-limit the admin login. Put your website’s admin page behind multi-factor authentication, limit how many login attempts are allowed before the door slams, and where you can, restrict it so it is not reachable from the open internet at all.
• Tidy your DNS and take down the leftovers. Remove old records pointing at services you no longer use, delete that abandoned staging site, and make sure your domain is not advertising more than it needs to.

You can see what they see, for free, today

Here is the part that makes all of this manageable: the same scanning that attackers use is available to you, and you can point it at your own site before they do. You do not have to guess. You can pull up the exact report a stranger would see and fix the embarrassing parts on a quiet afternoon.

We built a set of free tools to do precisely this. Start with the web security scanner for a plain-language read on your site, check your certificate with the TLS checker, generate the headers I mentioned with the headers builder, and run the attack-surface scan to see what your business as a whole looks like from the outside. None of it requires installing anything, and none of it requires being technical. It just shows you your own front door from the sidewalk.

You do not need to become a web security expert to stop broadcasting an invitation. You need a valid padlock, a few sensible headers, a locked admin door, and the habit of glancing at your own site the way a stranger does. Most of it is an afternoon of work and zero dollars. Go look at your front door before someone else does.

---

Further reading

• From Resolute Security: We’re Too Small to Be a Target
• From Resolute Security: Compliance Is Not Security
• From Resolute Security: My MSP Handles Security: Five Questions to Ask
• Resolute tools: web security scanner, headers builder, TLS checker, and the attack-surface scan
• OWASP Top Ten: the most common web application risks
• MDN Web Security documentation
• Not sure where you stand? Take the free 10-minute cyber readiness assessment.

Tool · Web security

Check what your website tells attackers before they ever knock.

A free scan that reviews your TLS configuration, security headers, and exposed surface. No account, no sales call.

Scan my website →