How a web agency keeps every client site secure

If you build and maintain sites for clients, you are on the hook for security on properties you may not log into for weeks. A header gets dropped in a redesign, a certificate lapses, a staging subdomain is left exposed. The client will not catch it. You are expected to.

Here is a simple, repeatable workflow that keeps that under control without it becoming a full-time job.

Step 1: baseline every client site

Scan each client domain once and note the score. You will usually find the same quick wins across a portfolio: missing security headers, a weak or missing Content-Security-Policy, no HSTS, and email records like DMARC and SPF that were never set. Knocking those out is fast and moves the score immediately.

A free scan at scorifya.com gives you a 0 to 100 hardening score plus the specific fix for each finding (TLS, headers, DNS and email, cookies, exposure), with no signup needed to run it.