Here's an uncomfortable truth from doing this work in Harare every week: most local business websites we look at have at least three fixable vulnerabilities. Not exotic, nation-state stuff — boring, well-understood issues that a motivated attacker can find in minutes. The good news is they're cheap to fix once you know they're there.
1. Missing security headers
Security headers are simple instructions your server sends to every visitor's browser telling it how to behave safely. Get them wrong and your site becomes far easier to attack with clickjacking, content injection, or downgrade attacks.
- Content-Security-Policy — limits where scripts and content can load from.
- Strict-Transport-Security — forces HTTPS so logins can't be downgraded.
- X-Frame-Options — stops your site being framed for clickjacking.
The overwhelming majority of Zimbabwe business sites we scan are missing several of these. Adding them is usually a five-minute configuration change — but almost no one does it until someone points it out.
2. Outdated software
WordPress, plugins, themes, and server software all ship security patches regularly. Every version you fall behind is a published, documented weakness that attackers actively scan the internet for. A site running a two-year-old plugin isn't "probably fine" — it's on a list somewhere.
If you can't remember the last time your site was updated, assume it's overdue. Automated bots don't care how small your business is; they care which version you're running.
3. Weak password reset flows
The "forgot password" feature is one of the most attacked parts of any site, and one of the most commonly broken. We regularly find reset links that don't expire, tokens that can be guessed, and flows that leak whether an email address has an account — handing attackers a free user list.
A secure reset flow uses long random tokens, expires them quickly, and gives the same response whether or not the email exists. Most off-the-shelf setups don't do all three out of the box.
4. No privacy policy
This one isn't just a security gap — it's a legal one. Under Zimbabwe's Data Protection Act, businesses that collect personal data are expected to tell people how that data is used. A surprising number of Harare sites with contact forms, booking systems, or newsletters have no privacy policy at all.
Beyond compliance, a missing or boilerplate privacy policy signals to customers — and to a regulator — that data handling was never thought through. It's one of the easiest things to fix and one of the most commonly skipped.
How to know where you stand
You don't need to guess. A passive assessment checks all of the above from the outside, without touching or disrupting your live site — and tells you exactly which of these issues you have. Most Harare businesses we test discover at least one thing they had no idea about.
Get a free passive assessment
We'll run a no-touch external scan of your website and send you a short, plain-English report of what we find — no obligation, no cost.
Request Free AssessmentOr message +263 77 690 2542 on WhatsApp.
Donovan Mudarikwa
CompTIA A+, Security+ & PenTest+ certified
CompTIA A+, Security+, and PenTest+ certified security professional and web developer. Based in Harare, working with businesses across Zimbabwe and beyond.
