Quick Answer
Website security is not a one-time task. Dependencies get new CVEs published daily. SSL certificates expire. New vulnerability patterns emerge as your codebase grows. This guide covers a practical security update cadence: what to check daily, weekly, monthly, and quarterly to keep your site secure after launch.
Why Security Updates Cannot Be a One-Time Task
A security audit at launch is a snapshot. The day after you ship, the threat landscape starts shifting. Your dependencies accumulate new CVEs. Your SSL certificate ticks closer to expiry. Code added in new features introduces patterns that were not there at launch. If you do not have a security update cadence, your app's security posture degrades with every passing week.
The numbers back this up. According to the National Vulnerability Database (NVD), over 28,000 CVEs were published in 2023 - roughly 80 per day. Most of these affect libraries used by typical web applications. A package that was clean at launch may have a critical vulnerability disclosed six weeks later.
For AI-generated apps, the update problem is compounded. AI tools install many more dependencies than a human developer would (DEP-001 fires on >60 packages), and they often do not pin versions tightly (DEP-008), meaning a routine npm install can silently pull in a newer, potentially vulnerable version.
The Security Update Cadence
| Frequency | What to check | Time required |
|---|---|---|
| Per push (automated) | Dependency CVEs, secret detection, code patterns, security headers | ~2 min (automated) |
| Weekly | Review Dependabot/npm audit alerts, update non-breaking patches | 30-60 min |
| Monthly | Full security scan, review SSL expiry, update minor versions, review logs for anomalies | 2-4 hours |
| Quarterly | Review auth flows, rotate long-lived secrets, review access controls, update major versions | 4-8 hours |
| On CVE disclosure | Patch critical/high CVEs in your dependencies within 24-72 hours | 1-4 hours |
Per-Push Security Updates (Automated)
The most efficient security update practice is continuous automated scanning triggered on every code push. This catches new issues the moment they are introduced, before they accumulate into technical debt.
Set up your CI/CD pipeline to run:
- npm audit or Trivy - catches new CVEs in dependencies introduced by
package.jsonchanges - Gitleaks - catches secrets accidentally committed (still the #1 preventable security incident)
- Static analysis - catches new instances of SQL injection patterns, missing validation, XSS vectors
# GitHub Actions: basic security scan on every push
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: npm ci
- name: Dependency audit
run: npm audit --audit-level=high
- name: Secret detection
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}A push scan that catches a committed API key saves potentially hours of incident response. A CVE check that catches a critical vulnerability in a transitive dependency saves a potential breach. Both run in under 2 minutes.
Weekly Security Updates
Review Dependency Alerts
Enable GitHub's Dependabot for automated pull requests when new CVEs are published for your dependencies. Configure it to open PRs automatically for patch updates and alert for minor and major updates.
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
labels:
- "security"
- "dependencies"Each week, review the open Dependabot PRs. Patch updates (1.2.3 to 1.2.4) are generally safe to merge immediately after confirming your tests pass. Minor and major updates need a quick review of the changelog for breaking changes.
npm audit Triage
Run npm audit and review the output. Focus on critical and high severity vulnerabilities in production dependencies. Low and moderate severity issues in dev dependencies are lower priority.
# Show only high+ severity vulnerabilities in production deps
npm audit --audit-level=high --omit=dev
# Show fix recommendations
npm audit fix --dry-runIf npm audit fix can resolve a critical without a breaking change, apply it. If the fix requires a major version bump, schedule it for the next sprint with a testing cycle.
Monthly Security Updates
Full Automated Security Scan
Once a month, run a comprehensive scan covering all security layers. If you are using VibeDoctor, this means running a full scan against your repository - it will check for new vulnerability patterns, updated dependency CVEs, and any configuration drift since your last scan.
Pay particular attention to findings that were not present in the previous scan. New findings indicate either new code introducing patterns, or the scanner's ruleset catching something it did not previously detect.
SSL Certificate Expiry Review
Check your SSL certificate expiry date monthly. Set up automated monitoring with alerts at 30 days and 7 days before expiry. Many security incidents involving SSL outages happen because a certificate renewal was missed.
# Check SSL expiry from command line
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
# Output example:
# notBefore=Jan 1 00:00:00 2026 GMT
# notAfter=Apr 1 00:00:00 2026 GMTFor production sites, use a monitoring service (Uptime Kuma, Checkly, or similar) with SSL expiry alerts. Do not rely on manual checks - certificate expirations cause unexpected outages that affect all users simultaneously.
Security Header Review
Load your production site through an HTTP inspector and verify all six critical security headers are present: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. New deployment configurations, CDN changes, or reverse proxy updates can silently strip headers.
# Check security headers via curl
curl -sI https://yourdomain.com | grep -i -E \
"strict-transport-security|content-security-policy|x-frame-options|x-content-type-options|referrer-policy|permissions-policy"Review Access and Auth Logs
Monthly, spend 30 minutes reviewing your authentication logs for anomalies: failed login spikes (potential brute force), unusual geographic patterns, or API keys being used from unexpected IPs. Most auth providers (Supabase, Clerk, Auth0) have dashboards for this.
Quarterly Security Updates
Rotate Long-Lived Secrets
Quarterly rotation of long-lived credentials reduces the window of exposure if a secret was compromised without your knowledge. Rotate:
- API keys for third-party services (Stripe, SendGrid, OpenAI, etc.)
- Database passwords if using connection string-based auth
- JWT signing secrets if using symmetric algorithms (HS256)
- Admin access tokens for any CI/CD integrations
Document the rotation date and the next planned rotation. Use a password manager or secrets management service (AWS Secrets Manager, HashiCorp Vault, or Doppler) to track this systematically.
Review Authentication and Authorization Design
Quarterly, manually walk through your authentication and authorization flows with fresh eyes:
- Are all admin routes verified to check admin role, not just authentication?
- Can a regular user access another user's data by changing an ID in a URL?
- Are there any new endpoints added in the past quarter that lack auth checks?
- Have any new roles or permission levels been added informally without a proper access control review?
Major Dependency Version Updates
Use quarterly reviews to tackle major version updates that were deferred. Major updates often include security improvements alongside breaking changes. Build a test cycle for major framework updates (Next.js, Express, etc.) and plan them with sufficient runway.
# Check what major updates are available
npx npm-check-updates
# Or check interactively
npx npm-check-updates --interactiveResponding to New CVE Disclosures
Some security updates cannot wait for the regular cadence. When a critical or high severity CVE is published for a package you use, treat it as an incident.
CVE Response Timeline
| Severity | Response time | Action |
|---|---|---|
| Critical (CVSS 9.0-10.0) | 24 hours | Emergency patch or temporary mitigation (WAF rule, feature flag off) |
| High (CVSS 7.0-8.9) | 72 hours | Patch in next release cycle, same-day if actively exploited |
| Medium (CVSS 4.0-6.9) | 2 weeks | Include in next scheduled dependency update batch |
| Low (CVSS <4.0) | Monthly review | Address in monthly dependency update round |
Where to Track CVE Disclosures
- GitHub Security Advisories - subscribes automatically when you enable Dependabot
- npm advisories -
npm auditchecks this database on every run - Snyk vulnerability database - snyk.io/vuln has a searchable feed
- CISA Known Exploited Vulnerabilities - cisa.gov/known-exploited-vulnerabilities - critical list of actively exploited CVEs
Automating Your Security Update Process
Manual security updates get skipped under pressure. The most effective security update practices are the ones that run automatically:
- Enable Dependabot for automatic dependency update PRs
- Add npm audit to CI/CD to block merges that introduce high CVEs
- Set SSL expiry alerts at 30 and 7 days in your monitoring tool
- Schedule a monthly security scan in your calendar (or via push-triggered scanning)
- Subscribe to GitHub Security Advisories for your key dependencies
VibeDoctor automates the scanning layer - dependency CVEs, security headers, secrets, and code vulnerability patterns run automatically on every scan. For push-triggered scanning, connect your GitHub repository and every code push triggers an incremental scan that alerts on new issues.
FAQ
How often should I update my website security?
Critical CVEs: within 24-72 hours. Dependency patches: weekly. Full security scans: monthly. Auth and access control review: quarterly. SSL monitoring: continuous with automated alerts at 30 and 7 days before expiry.
What is the most important website security update to do first?
If you have not run a security scan recently, start there. An automated scan will surface the most critical issues in priority order. The most common first-scan findings are missing security headers, unprotected API routes, and exposed secrets - all fixable in under a day.
How do I know when my website has a new security vulnerability?
Enable Dependabot for CVE alerts on your dependencies. Subscribe to GitHub Security Advisories for your key packages. Use automated scanning that runs on every push and alerts on new findings. CISA's Known Exploited Vulnerabilities catalog is the authoritative source for actively exploited CVEs to prioritize.
Do I need to update security headers regularly?
Security headers do not change frequently once set, but they can silently disappear after infrastructure changes - CDN provider switches, reverse proxy updates, or Docker configuration changes. Verify headers monthly as part of your security review, and add header checks to your monitoring setup.
What is the biggest security risk from not updating dependencies?
Known CVEs in production dependencies are the most common vector for automated attacks. Tools like automated scanners and exploit kits specifically target known CVEs in popular packages. If npm audit shows a critical vulnerability that has been public for 30+ days, attackers have had a month to build exploits for it.