Selling Website Security to Clients Without Sounding Pushy

Most freelancers lose security work not because clients don't care, but because the conversation gets framed wrong. You mention SSL, CSP, or HSTS and watch their eyes glaze over. Then a competitor swoops in with a $49/month "security plan" and wins the retainer.

Talking to clients about website security isn't a technical problem — it's a translation problem. Here's how to have that conversation in a way that actually closes work, without scare tactics or jargon.

Start With Business Risk, Not Technology

Clients don't buy Content-Security-Policy headers. They buy peace of mind, customer trust, and protection from financial loss. Before you ever open a terminal or run a scan, reframe what you're selling.

Instead of:

• "Your site is missing HSTS and has a weak CSP."

Try:

• "Right now, if someone hijacks your customer's Wi-Fi at a coffee shop, they could intercept their login. Here's what it would cost to fix that."

Same issue. One sounds like homework. The other sounds like a problem worth paying to solve.

The Three Questions Every Client Cares About

1. Can I lose money because of this? (downtime, fraud, chargebacks)
2. Can I lose customers because of this? (trust, reputation, browser warnings)
3. Can I get in legal trouble because of this? (GDPR, PCI-DSS, data breach notifications)

Map every technical finding to one of those three buckets before you bring it up.

Lead With a Free Audit, Not a Sales Pitch

The single best conversation starter is a one-page report showing exactly what's wrong. Run the client's site through WebSentry, take the A–F grade, and use it as the anchor for your pitch.

A grade is something a non-technical client immediately understands. "Your site scored a D" lands harder than fifteen bullet points about missing headers. From there you can walk through the specifics in plain English.

A Script That Actually Works

Here's a cold email I've used to win retainers from existing clients:

Hi Sarah — quick heads up. I ran your site through a security scanner this morning and it came back with a C-. The main issues are around how the site handles secure connections and cookies, which can affect both customer trust and your Google rankings. I can put together a 15-minute call this week to walk you through what it means and what's worth fixing. No charge for the audit either way.

Notice what's missing: no acronyms, no fear-mongering, no "you're at risk of being hacked." Just a clear hook and a low-commitment ask.

Translate Findings Into Plain English

Once you're on the call, here's how I translate the most common WebSentry findings:

• Missing HSTS → "Browsers can be tricked into loading an insecure version of your site."
• Weak or missing CSP → "If a hacker injects a malicious script, there's nothing stopping it from running."
• Cookies without Secure/HttpOnly → "Customer login sessions could be stolen on public Wi-Fi."
• Permissive CORS → "Other websites can read data from your site that they shouldn't."
• Missing DNS records (SPF, DMARC) → "Anyone can send phishing emails pretending to be you."
• Expired or weak SSL config → "Visitors may get a warning that scares them away."

Notice every translation ends in a business consequence, not a technical state.

Price It So They Can Say Yes

Freelancers often kill security deals by quoting one big number. A client will balk at "$2,400 to fix everything" but happily approve smaller chunks. Break it into tiers:

The Three-Tier Offer

• Quick Wins ($300–$600): Headers, cookie flags, SSL tightening. One afternoon of work. Moves the grade from D to B.
• Hardening ($800–$1,500): Proper CSP, DNS records (SPF, DKIM, DMARC), CORS lockdown, dependency updates.
• Ongoing Monitoring ($75–$150/month): Monthly scans, re-grading, and a short report. This is where the recurring revenue lives.

Most clients pick tier one immediately because the price is low and the result is visible. Once they see the grade jump from D to B, tier two and the retainer become easy conversations.

Handle the Common Objections

"We've never had a problem before."

"Most sites don't — until they do. The point isn't that something has happened, it's that the cost of preventing it is much lower than the cost of dealing with it. A breach notification alone can run $5,000+ in legal fees before you even touch the technical cleanup."

"Isn't this what my host handles?"

"Hosts handle the server. They don't configure your site's headers, cookies, or CSP — that's application-level, and it's where most modern attacks happen."

"Can you just send me a quote?"

Never send a quote without walking through the report first. Always offer a 15-minute call. Quotes sent cold convert at maybe 10%. Quotes sent after a walkthrough convert at 60%+.

Make Security a Recurring Conversation

One-off audits are fine, but the real money is in monthly retainers. Build security into your standard maintenance package:

1. Run a WebSentry scan on the first of every month.
2. Send the client a one-page PDF: current grade, what changed, what you fixed, what's coming next.
3. Flag anything urgent immediately with a recommended action and price.

This does two things. It gives the client a tangible deliverable every month (which kills retainer churn), and it surfaces new paid work organically — "this month a dependency went out of date, here's what it'll cost to update."

Document Everything in Writing

When you recommend a fix and the client declines, send a follow-up email summarising what you flagged, what you recommended, and that they chose not to proceed. This isn't about being defensive — it's about protecting both of you if something goes wrong later. Clients also tend to approve work faster when they see it written down.

If you want a no-friction way to start any of these conversations, run a free scan at websentry.dev and use the grade as the opening line of your next client email. It's the fastest way to turn a vague concern into a specific, billable conversation.