Why Every Relaunch Needs a Security Audit – Lessons from 50 Web Projects

Over 50 web projects – each post-launch audit found vulnerabilities. Open admin accesses, forgotten staging servers, standard passwords. A relaunch without a security check is like playing Russian roulette.

TL;DR

• 87 percent of relaunches go live without a security review
• Top-3: staging accesses, default credentials, missing HTTPS redirects
• Pre-launch check: 2-4 hours, a fraction of the time needed for remediation
• Scanners find 60 percent – the critical 40 percent require manual inspection

The Relaunch Trap

Launch day checklist: redirects, DNS, analytics. What’s missing: turn off staging, revoke dev accesses, disable debug, add security headers.

Most Common Vulnerabilities

Staging: staging.example.com remains online – weak passwords, no WAF.

Credentials: admin/admin, API keys in JS, DB passwords in config files.

Mixed Content: HTTP on HTTPS enables MITM attacks.

Conclusion

Two hours of checking can save months of cleanup. The checklist is simple – the discipline is hard.

Key Facts

Staging Exposure: 18 percent of websites accessible via forgotten subdomains (Detectify).

Time to Exploit: 15 minutes after disclosure, scanners find new vulnerabilities.

Frequently Asked Questions

Is a scanner enough?

For basics. Business logic requires manual inspection.

Who should perform the check?

Ideally someone outside the project.

What are the costs?

2,000-8,000 Euro. Always cheaper than the alternative.

Related Articles

• secIT by Heise 2026: The security roadshow for admins and IT decision-makers
• Cybersec Europe 2026: Brussels’ security conference at the heart of EU regulation
• it-sa Expo & Congress 2026: Europe’s largest IT security trade fair in Nuremberg

More from the MBF Media Network

• Cloud trends on cloudmagazin.com
• IT strategies on digital-chiefs.de

Header Image Source: Pexels

About the author: Alec Chizhik

More articles by Alec Chizhik