DEV Community

Cedric Brown
Cedric Brown

Posted on • Originally published at scorifya.com

How a web agency keeps every client site secure

#webdev #security #devops #freelance

If you build and maintain sites for clients, you are on the hook for security on properties you may not log into for weeks. A header gets dropped in a redesign, a certificate lapses, a staging subdomain is left exposed. The client will not catch it. You are expected to.

Here is a simple, repeatable workflow that keeps that under control without it becoming a full-time job.

Step 1: baseline every client site

Scan each client domain once and note the score. You will usually find the same quick wins across a portfolio: missing security headers, a weak or missing Content-Security-Policy, no HSTS, and email records like DMARC and SPF that were never set. Knocking those out is fast and moves the score immediately.

A free scan at scorifya.com gives you a 0 to 100 hardening score plus the specific fix for each finding (TLS, headers, DNS and email, cookies, exposure), with no signup needed to run it.

Step 2: put them all on one watchlist

Add every client domain to a watchlist so the sites are re-checked on a schedule. When any of them regresses, a certificate nears expiry, or a new subdomain appears, you hear about it in Slack or by email instead of finding out from the client. This is the "set it and forget it" part that makes the whole thing scale past two or three sites.

Step 3: re-scan after every deploy

The fastest way to undo good security work is a deploy that quietly drops a header. After you ship a change, move DNS, or stand up a new app, re-scan to confirm nothing slipped.

Step 4: show the client the score

Security is invisible until you make it visible. Give each client a shareable scorecard and drop an embeddable badge on their site or your report, so the work you did shows up as a number they can watch go up. It turns an invisible task into a visible deliverable.

Make it a line item, not a favor

Put together, this is a recurring service: baseline, monitor, alert, re-scan, report. It is concrete, it is visible to the client, and it runs mostly on its own, which makes it a natural addition to a maintenance retainer rather than unpaid work you do out of guilt.

If you want to try the workflow, scan a client site free at scorifya.com. I build it; happy to answer questions in the comments.

Top comments (0)