How a web agency keeps every client site secure with Scorifya
A simple, repeatable workflow for agencies and freelancers: baseline every client site, monitor them for drift, get alerted in Slack or email, and show clients their score with a shareable scorecard.
The job: keep sites you do not touch every day from quietly regressing
If you build and maintain sites for clients, you are responsible for security on properties you may not log into for weeks. A header gets dropped in a redesign, a certificate lapses, a staging subdomain is left exposed. The client will not catch it. You are expected to.
Here is a workflow that keeps that under control without it becoming a full-time job.
Step 1: baseline every client site
Scan each client domain once from the Scorifya scanner and note the score. You will usually find the same quick wins across a portfolio: missing security headers, a weak or missing Content Security Policy, no HSTS, and email records like DMARC and SPF that were never set. Knocking those out is fast and moves the score immediately.
Step 2: put them all on one watchlist
Add every client domain to your watchlist so Scorifya re-checks them on a schedule, and turn on alerts. When any site regresses, a certificate nears expiry, or a new subdomain appears, you hear about it in Slack or by email. The full breakdown is in Security alerts in Slack and email, and the two-minute Slack setup is here.
Step 3: re-scan after every deploy
The fastest way to undo good security work is a deploy that quietly drops a header. After you ship a change, move DNS, or stand up a new app, re-scan to confirm nothing slipped. We wrote about exactly when another scan is worth running.
Step 4: show the client the score
Security is invisible until you make it visible. Give each client a shareable scorecard page and drop an embeddable badge on their site or your report, so the work you did shows up as a number they can watch go up. The details are in shareable scorecards and embeddable badges.
Make it a line item, not a favor
Put together, this is a recurring service: baseline, monitor, alert, re-scan, report. It is concrete, it is visible to the client, and it runs mostly on its own, which makes it a natural addition to a maintenance retainer rather than unpaid work you do out of guilt.
Get started
Scan your first client site free from the Scorifya scanner. Watchlists, scheduled re-checks, alerts, and badges are part of Pro. Follow the blog for new workflows and features as we ship them.
Try a scan on scorifya.com, read how we score, or see Pro for unlimited scans and exports.
Get a weekly digest
New KEV CVE notices and (later) score changes on the domains you watch. One email a week, easy unsubscribe. We don't share or sell your address.
By subscribing you confirm you can receive transactional security updates from Scorifya at this email.