There is a comfortable assumption that small-business websites do not need serious security because nobody is targeting them. The assumption has it backwards. Most attacks on small sites are automated and indiscriminate: scanners sweep the whole internet probing for missing headers, open form endpoints, and soft APIs, and they do not check the victim's headcount first. Big companies have security teams watching. A small business has whatever its builder shipped.
So we ship contractor sites with the posture of an enterprise, because the marginal cost at build time is low and the cost of skipping it lands entirely on the client.
Headers with reasons attached
Every response from our builds carries a full security-header suite. On IMS, an industrial distributor site, that means a Content-Security-Policy written with a per-directive rationale in code comments, a two-year HSTS policy with preload, nosniff, X-Frame-Options set to DENY, a strict Referrer-Policy, a Permissions-Policy, and a Cross-Origin-Opener-Policy.
Each header closes a real class of attack. HSTS stops protocol-downgrade tricks by telling browsers to refuse plain HTTP for the next two years. Frame denial kills clickjacking overlays. Nosniff stops a browser from reinterpreting a file as executable script. The CSP is the big one: an explicit list of everything the page is allowed to load and run, so an injected script tag simply refuses to execute.
The comments matter as much as the directives. A CSP nobody understands gets loosened the first time it breaks something. A CSP where every directive explains itself gets maintained. The IMS policy even documents why its Permissions-Policy is shaped to avoid breaking the delegated permissions on embedded YouTube players.
Rollout is engineered too. On Creative Maintenance Solutions the CSP shipped in Report-Only mode first, with a documented promotion path to enforcing, so real traffic proved the policy before it was allowed to block anything. And the headers are applied statically, so the caching that makes these sites fast survives intact.
Small details get the same treatment. SVGs enter the image pipeline only inside a sandbox: served as attachments under an image-specific policy that forbids script execution, because an SVG is a document that can carry code, not just a picture.
APIs that assume hostility
On a static marketing site, the contact endpoint is the one true attack surface, so it gets the most armor. Across our builds the lead APIs share a standard kit:
- Per-IP rate limiting, typically 5 to 8 submissions per 10 minutes, with one site adding a global ceiling of 200 emails per hour as a flood backstop.
- Request body caps of 20 to 32 KB, enforced before JSON parsing so oversized payloads die cheap.
- Control-character stripping that kills CRLF header injection, plus HTML escaping of every field.
- Origin pinning, and generic error responses that never reveal which parts of the backend exist.
- Server-verified bot challenges where the traffic warrants them, and logs that never contain PII or secrets.
Then there is the honeypot, a favorite piece of quiet engineering. A hidden field that humans never see; bots fill it. When they do, the API accepts the submission and returns success while sending nothing. A bot that believes it succeeded moves on. A bot that gets an error keeps probing with variations. Faking success is the politest way to waste an attacker's time.
Failure is engineered to be safe as well. If the email key is missing or the mail service is down, the endpoint returns a friendly 503 and the form shows the phone number instead, so a misconfiguration can never silently swallow a lead. Fail closed, but never fail quiet. The lead pipeline is the revenue artery of a contractor's website, and the security around it has to stop attackers without ever costing the business a customer.
Posture you can show an auditor
On Creative Maintenance Solutions, security decisions carry SOC 2 control citations directly in the code comments: the body cap and input bounding cite CC6.1, the header suite cites CC6.6 and CC6.7, the logging discipline cites CC7.2. The repository ships a coordinated vulnerability-disclosure policy with a five-business-day acknowledgment commitment, and a change-management runbook that ties every deployment to a commit.
IMS went further: a security audit in which every finding was independently re-verified before it counted, 43 findings in total, zero critical and zero high, each mapped to a file and line with the fix visible in the code today. Alongside it sits a documentation pack most agencies never produce for anyone: security policy, incident response plan, risk register, operations runbook, and a vendor disclosure that doubles as the privacy sub-processor list.
Why bother, for a contractor?
Because the website is often the only piece of digital infrastructure a small business truly owns, and the business has no one on staff to notice when it goes wrong. A hijacked form endpoint relaying spam, a defaced page, a quietly poisoned search listing: each one costs a small company real money and real trust, and recovery is slow when there is no security team to call.
And because good defaults are nearly free once they exist. Every measure above was designed once, hardened across projects, and now ships as the studio standard on every build, from a 12-page contractor site to a 492-URL catalog. None of it is hypothetical: these header suites, rate limits, and honeypots are live today on sites for coatings applicators, distributors, general contractors, and a federal IT firm. Enterprise posture is not expensive. It is just unusual at this end of the market, and we think the businesses least equipped to survive an incident deserve it most.
