Pre-Deployment Security Checklist: 26-Item Guide Before Going Live

TL;DR

Before deploying, verify: no hardcoded secrets, environment variables configured, HTTPS enabled, authentication on all protected routes, database access controls, input validation, security headers, and error handling that doesn't leak information. 8 critical items must be fixed before launch, 12 important items within the first week, and 6 recommended items when you can.

Think of this as your preflight checklist. Pilots do not skip it because they have flown a hundred times before, and you should not skip it just because you have deployed before either. Twenty-six items sounds like a lot, but most of them take under a minute to verify and the ones you catch here are infinitely cheaper to fix than the ones your users find in production.

Quick Checklist (5 Critical Items)

No hardcoded API keys or secretsSearch for sk_, pk_, api_key, secret, password in your code

.env files in .gitignoreVerify .env, .env.local, .env.production are not committed

HTTPS enabledSSL/TLS certificate installed and HTTP redirects to HTTPS

All protected routes require authenticationTest each route without a session - should redirect to login

Row Level Security enabled (if using Supabase)RLS policies on all tables that need access control

Secrets & Configuration 5

No hardcoded API keys or secretsSearch for sk_, pk_, api_key, apiKey, secret, password, token in your codebase. How to secure API keys

All secrets in environment variablesDatabase URLs, API keys, and tokens should come from process.env. How to configure env variables

.env files in .gitignoreVerify .env, .env.local, .env.production are not committed. How to secure .env files

Production environment variables configuredSet all required variables in your hosting platform (Vercel, Railway, etc.). How to deploy env variables

No development/test credentials in productionRemove Stripe test keys, sandbox API keys, and mock credentials. How to manage API keys

HTTPS & Transport 3

HTTPS enabledSSL/TLS certificate installed and working. How to set up HTTPS

HTTP redirects to HTTPSAll HTTP requests should 301 redirect to HTTPS. How to configure HTTPS redirect

HSTS header configuredStrict-Transport-Security header with appropriate max-age. How to configure HSTS

Authentication & Authorization 5

All protected routes require authenticationTest each route with no session - should redirect to login. How to test protected routes

API routes verify authenticationEvery API endpoint that needs auth should check session/token. How to implement auth checks

Authorization checks in placeUsers can only access their own data, not other users' data. How to test data isolation

Session cookies are secureHttpOnly, Secure, SameSite flags set appropriately. How to secure session cookies

Password reset flow secureTokens are single-use, time-limited, and cryptographically random. How to secure password reset

Database Security 4

Row Level Security enabled (if using Supabase)RLS policies on all tables that need access control. How to set up Supabase RLS

Parameterized queries onlyNo string concatenation in SQL queries. How to prevent SQL injection

Database user has minimal permissionsApp database user should not have admin/superuser privileges. How to set database permissions

Backups configuredAutomated database backups with tested restore process. How to set up database backups

Input Validation 3

All user input validated server-sideNever trust client-side validation alone. How to validate on server

File uploads restrictedCheck file types, sizes, and scan for malicious content. How to secure file uploads

Rate limiting on sensitive endpointsLogin, signup, password reset, and API endpoints rate limited. How to implement rate limiting

Security Headers 3

Content-Security-Policy configuredRestrict script sources and prevent XSS. How to configure CSP

X-Frame-Options setPrevent clickjacking with DENY or SAMEORIGIN. How to prevent clickjacking

X-Content-Type-Options setSet to nosniff to prevent MIME type sniffing. How to set security headers

Error Handling & Logging 3

Production errors don't leak stack tracesUsers see friendly errors, not technical details. How to handle errors securely

Security events loggedFailed logins, permission denials, and suspicious activity. How to log security events

No sensitive data in logsPasswords, tokens, and PII should not appear in logs. How to secure logging

How to Use This Checklist

Go through each item before deploying your application to production. If you find an issue, fix it before moving on. This checklist covers the most common security issues found in vibe-coded applications.

How long should this checklist take?

For a simple application, expect 30-60 minutes. For larger applications with more features, plan for 2-3 hours. The first time takes longest as you may need to fix issues. Subsequent deployments are faster.

What if I can't complete all items?

The items in the first two sections (Secrets & Configuration, HTTPS & Transport) are non-negotiable. Other items depend on your application. If you don't have user authentication, skip auth items. But if you handle any user data, all items apply.

Should I automate these checks?

Yes! Many of these checks can be automated with CI/CD pipelines, security scanning tools, and monitoring. Use automated tools to catch issues early and this checklist for final verification before deployment.