Website Security Monitoring: A Practical Setup Guide

Why Monitoring Beats One-Time Scans

Running a security scan once is like getting a health checkup and then never visiting the doctor again. Your website's security posture changes constantly:

• SSL certificates expire — and if you miss the renewal, your site goes down (or worse, becomes insecure)
• New vulnerabilities are discovered — what was safe yesterday may not be safe today
• Configuration drift — a deployment, a plugin update, or a hosting change can silently remove security headers
• Content changes — new pages, forms, or third-party scripts introduce new attack surfaces

Continuous monitoring catches these changes before attackers exploit them. The difference between a one-time scan and continuous monitoring is the difference between a photograph and a security camera.

What to Monitor

An effective monitoring setup covers five areas:

1. SSL/TLS Certificate Health

Your SSL certificate is the foundation of your site's security. Monitor:

• Expiry date — certificates expire every 90 days (Let's Encrypt) or annually
• Certificate chain — intermediate certificates can expire independently
• Protocol version — ensure TLS 1.2+ is always active
• Certificate transparency — detect unauthorized certificates issued for your domain

2. HTTP Security Headers

Security headers can disappear after a deployment, CDN change, or server update. Monitor:

• Strict-Transport-Security (HSTS)
• Content-Security-Policy (CSP)
• X-Content-Type-Options
• X-Frame-Options
• Referrer-Policy
• Permissions-Policy

3. Uptime and Response

Downtime can indicate an attack in progress (DDoS) or a compromised server:

• HTTP status code — is your site returning 200?
• Response time — sudden slowdowns may indicate cryptomining or abuse
• Content verification — is the homepage still returning expected content (or has it been defaced)?

4. DNS Configuration

DNS changes can redirect your traffic to an attacker's server:

• A/AAAA records — are they pointing to the correct IP?
• MX records — email routing changes could indicate compromise
• SPF, DKIM, DMARC — email authentication records prevent domain spoofing
• Nameserver changes — unauthorized NS changes are a critical indicator of domain hijacking

5. Vulnerability Status

New vulnerabilities are disclosed daily. Monitor:

• Known CVEs in your software stack
• Plugin vulnerabilities (especially for CMS platforms)
• Dependency vulnerabilities in your codebase

Setting Up SSL Expiry Alerts

An expired SSL certificate is one of the most common and most preventable security issues. Here is how to set up monitoring:

Using cron and OpenSSL (free, self-hosted)

Create a script that checks your certificate and alerts you before expiry:

#!/bin/bash
# check-ssl.sh — Run daily via cron

DOMAIN="yoursite.com"
ALERT_DAYS=14
EMAIL="admin@yoursite.com"

EXPIRY=$(echo | openssl s_client -servername "$DOMAIN" -connect "$DOMAIN:443" 2>/dev/null \
  | openssl x509 -noout -enddate | cut -d= -f2)

EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))

if [ "$DAYS_LEFT" -lt "$ALERT_DAYS" ]; then
  echo "SSL certificate for $DOMAIN expires in $DAYS_LEFT days ($EXPIRY)" \
    | mail -s "SSL EXPIRY WARNING: $DOMAIN" "$EMAIL"
fi

Add to crontab:

# Run daily at 9 AM
0 9 * * * /path/to/check-ssl.sh

Using online services

If you prefer a managed solution:

• UptimeRobot (free tier) — monitors SSL expiry and sends email/Slack alerts
• Better Uptime — SSL monitoring with on-call escalation
• Certspotter — monitors Certificate Transparency logs for your domain

HTTP Header Drift Detection

Security headers disappearing after a deployment is surprisingly common. Here is how to detect it:

Automated header checking script

#!/bin/bash
# check-headers.sh

DOMAIN="https://yoursite.com"
EXPECTED_HEADERS=(
  "strict-transport-security"
  "content-security-policy"
  "x-content-type-options"
  "x-frame-options"
  "referrer-policy"
)

HEADERS=$(curl -sI "$DOMAIN")
MISSING=()

for header in "${EXPECTED_HEADERS[@]}"; do
  if ! echo "$HEADERS" | grep -qi "$header"; then
    MISSING+=("$header")
  fi
done

if [ ${#MISSING[@]} -gt 0 ]; then
  echo "MISSING HEADERS on $DOMAIN: ${MISSING[*]}" \
    | mail -s "Security Header Alert: $DOMAIN" admin@yoursite.com
fi

CI/CD integration

Add header checks to your deployment pipeline to catch issues before they reach production:

# .github/workflows/security-check.yml
name: Post-deploy Security Check
on:
  deployment_status:
    types: [completed]

jobs:
  check-headers:
    if: github.event.deployment_status.state == 'success'
    runs-on: ubuntu-latest
    steps:
      - name: Check security headers
        run: |
          HEADERS=$(curl -sI https://yoursite.com)
          echo "$HEADERS" | grep -qi "strict-transport-security" || exit 1
          echo "$HEADERS" | grep -qi "x-content-type-options" || exit 1
          echo "$HEADERS" | grep -qi "content-security-policy" || exit 1
          echo "All critical security headers present"

Uptime & Response Monitoring

Free options

What to configure

1. 1Check interval — 5 minutes is standard; 1 minute for critical sites
2. 2Check locations — monitor from at least 2 geographic regions to avoid false positives
3. 3Alert channels — email + one instant channel (Slack, SMS, or push notification)
4. 4Status page — create a public status page for transparency with customers
5. 5Content validation — check for a specific keyword on the page to detect defacement

Vulnerability Scan Scheduling

One-time scans catch today's issues. Scheduled scans catch tomorrow's:

Weekly scan schedule

Set up a weekly automated scan to detect:

• Newly expired or misconfigured SSL certificates
• Security headers that were removed during a deployment
• New information disclosure (server version leaks, debug pages)
• Cookie security changes
• DNS record modifications

Monthly deep review

Once a month, review your scan results for trends:

• Is your score improving or declining?
• Are the same issues recurring?
• Have new issues appeared?
• Are there action items you have been postponing?

Free vs Paid Monitoring Tools

For a small business with 1-5 websites, a combination of free tools covers the basics well. As you grow, invest in paid tools for automation and deeper coverage.

ZeriFlow for Continuous Security Scanning

ZeriFlow combines multiple monitoring concerns into a single security scan:

• SSL/TLS verification — certificate validity, protocol versions, HSTS configuration
• Security headers — all six critical headers plus additional recommendations
• Cookie security — Secure, HttpOnly, and SameSite flags
• DNS and email security — SPF, DKIM, DMARC records
• Information disclosure — server versions, debug endpoints, exposed files
• Content security — mixed content, inline scripts, CSP validation

Each scan takes about 60 seconds and produces a score out of 100. Run it weekly as part of your monitoring routine to catch configuration drift and new issues.

Incident Response When You Get an Alert

When a monitoring alert fires, follow this process:

Severity assessment (first 5 minutes)

1. 1Is the site down? — Check from multiple devices and networks
2. 2Is it a false positive? — Verify the alert by manually checking
3. 3What changed? — Check recent deployments, plugin updates, or hosting changes

Immediate response

Post-incident

• Document what happened — even a brief note helps if it recurs
• Fix the root cause — not just the symptom
• Update monitoring — add checks for anything this incident revealed as a gap
• Review access — if the incident involved unauthorized changes, audit who has access to what

The goal of monitoring is not to prevent all incidents — it is to detect them fast enough that the impact is minimal. A security issue caught in 5 minutes is a minor inconvenience. The same issue caught after 3 months is a potential data breach.