[{"data":1,"prerenderedAt":257},["ShallowReactive",2],{"blog-checklists/pre-deployment-security-checklist":3},{"id":4,"title":5,"body":6,"category":237,"date":238,"dateModified":238,"description":239,"draft":240,"extension":241,"faq":242,"featured":240,"headerVariant":243,"image":242,"keywords":242,"meta":244,"navigation":245,"ogDescription":246,"ogTitle":242,"path":247,"readTime":242,"schemaOrg":248,"schemaType":249,"seo":250,"sitemap":251,"stem":252,"tags":253,"twitterCard":255,"__hash__":256},"blog/blog/checklists/pre-deployment-security-checklist.md","Pre-Deployment Security Checklist: 26-Item Guide Before Going Live",{"type":7,"value":8,"toc":231},"minimark",[9,16,19,22,47,69,84,106,125,140,155,170,175,178,200,219],[10,11,12],"tldr",{},[13,14,15],"p",{},"Before deploying, verify: no hardcoded secrets, environment variables configured, HTTPS enabled, authentication on all protected routes, database access controls, input validation, security headers, and error handling that doesn't leak information. 8 critical items must be fixed before launch, 12 important items within the first week, and 6 recommended items when you can.",[13,17,18],{},"Think of this as your preflight checklist. Pilots do not skip it because they have flown a hundred times before, and you should not skip it just because you have deployed before either. Twenty-six items sounds like a lot, but most of them take under a minute to verify and the ones you catch here are infinitely cheaper to fix than the ones your users find in production.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Search for sk_, pk_, api_key, secret, password in your code","No hardcoded API keys or secrets",[27,32],{"description":33,"label":34},"Verify .env, .env.local, .env.production are not committed",".env files in .gitignore",[27,36],{"description":37,"label":38},"SSL/TLS certificate installed and HTTP redirects to HTTPS","HTTPS enabled",[27,40],{"description":41,"label":42},"Test each route without a session - should redirect to login","All protected routes require authentication",[27,44],{"description":45,"label":46},"RLS policies on all tables that need access control","Row Level Security enabled (if using Supabase)",[23,48,51,54,58,61,65],{"title":49,"count":50},"Secrets & Configuration","5",[27,52],{"description":53,"label":30},"Search for sk_, pk_, api_key, apiKey, secret, password, token in your codebase. How to secure API keys",[27,55],{"description":56,"label":57},"Database URLs, API keys, and tokens should come from process.env. How to configure env variables","All secrets in environment variables",[27,59],{"description":60,"label":34},"Verify .env, .env.local, .env.production are not committed. How to secure .env files",[27,62],{"description":63,"label":64},"Set all required variables in your hosting platform (Vercel, Railway, etc.). How to deploy env variables","Production environment variables configured",[27,66],{"description":67,"label":68},"Remove Stripe test keys, sandbox API keys, and mock credentials. How to manage API keys","No development/test credentials in production",[23,70,73,76,80],{"title":71,"count":72},"HTTPS & Transport","3",[27,74],{"description":75,"label":38},"SSL/TLS certificate installed and working. How to set up HTTPS",[27,77],{"description":78,"label":79},"All HTTP requests should 301 redirect to HTTPS. How to configure HTTPS redirect","HTTP redirects to HTTPS",[27,81],{"description":82,"label":83},"Strict-Transport-Security header with appropriate max-age. How to configure HSTS","HSTS header configured",[23,85,87,90,94,98,102],{"title":86,"count":50},"Authentication & Authorization",[27,88],{"description":89,"label":42},"Test each route with no session - should redirect to login. How to test protected routes",[27,91],{"description":92,"label":93},"Every API endpoint that needs auth should check session/token. How to implement auth checks","API routes verify authentication",[27,95],{"description":96,"label":97},"Users can only access their own data, not other users' data. How to test data isolation","Authorization checks in place",[27,99],{"description":100,"label":101},"HttpOnly, Secure, SameSite flags set appropriately. How to secure session cookies","Session cookies are secure",[27,103],{"description":104,"label":105},"Tokens are single-use, time-limited, and cryptographically random. How to secure password reset","Password reset flow secure",[23,107,110,113,117,121],{"title":108,"count":109},"Database Security","4",[27,111],{"description":112,"label":46},"RLS policies on all tables that need access control. How to set up Supabase RLS",[27,114],{"description":115,"label":116},"No string concatenation in SQL queries. How to prevent SQL injection","Parameterized queries only",[27,118],{"description":119,"label":120},"App database user should not have admin/superuser privileges. How to set database permissions","Database user has minimal permissions",[27,122],{"description":123,"label":124},"Automated database backups with tested restore process. How to set up database backups","Backups configured",[23,126,128,132,136],{"title":127,"count":72},"Input Validation",[27,129],{"description":130,"label":131},"Never trust client-side validation alone. How to validate on server","All user input validated server-side",[27,133],{"description":134,"label":135},"Check file types, sizes, and scan for malicious content. How to secure file uploads","File uploads restricted",[27,137],{"description":138,"label":139},"Login, signup, password reset, and API endpoints rate limited. How to implement rate limiting","Rate limiting on sensitive endpoints",[23,141,143,147,151],{"title":142,"count":72},"Security Headers",[27,144],{"description":145,"label":146},"Restrict script sources and prevent XSS. How to configure CSP","Content-Security-Policy configured",[27,148],{"description":149,"label":150},"Prevent clickjacking with DENY or SAMEORIGIN. How to prevent clickjacking","X-Frame-Options set",[27,152],{"description":153,"label":154},"Set to nosniff to prevent MIME type sniffing. How to set security headers","X-Content-Type-Options set",[23,156,158,162,166],{"title":157,"count":72},"Error Handling & Logging",[27,159],{"description":160,"label":161},"Users see friendly errors, not technical details. How to handle errors securely","Production errors don't leak stack traces",[27,163],{"description":164,"label":165},"Failed logins, permission denials, and suspicious activity. How to log security events","Security events logged",[27,167],{"description":168,"label":169},"Passwords, tokens, and PII should not appear in logs. How to secure logging","No sensitive data in logs",[171,172,174],"h2",{"id":173},"how-to-use-this-checklist","How to Use This Checklist",[13,176,177],{},"Go through each item before deploying your application to production. If you find an issue, fix it before moving on. This checklist covers the most common security issues found in vibe-coded applications.",[179,180,181,188,194],"faq-section",{},[182,183,185],"faq-item",{"question":184},"How long should this checklist take?",[13,186,187],{},"For a simple application, expect 30-60 minutes. For larger applications with more features, plan for 2-3 hours. The first time takes longest as you may need to fix issues. Subsequent deployments are faster.",[182,189,191],{"question":190},"What if I can't complete all items?",[13,192,193],{},"The items in the first two sections (Secrets & Configuration, HTTPS & Transport) are non-negotiable. Other items depend on your application. If you don't have user authentication, skip auth items. But if you handle any user data, all items apply.",[182,195,197],{"question":196},"Should I automate these checks?",[13,198,199],{},"Yes! Many of these checks can be automated with CI/CD pipelines, security scanning tools, and monitoring. Use automated tools to catch issues early and this checklist for final verification before deployment.",[201,202,203,209,214],"related-articles",{},[204,205],"related-card",{"description":206,"href":207,"title":208},"Secure your secrets and configuration","/blog/checklists/environment-variables-checklist","Environment Variables Checklist",[204,210],{"description":211,"href":212,"title":213},"Security for Cursor-generated projects","/blog/checklists/cursor-security-checklist","Cursor Security Checklist",[204,215],{"description":216,"href":217,"title":218},"Step-by-step guide to hiding your keys","/blog/how-to/secure-api-keys","How to Secure API Keys",[220,221,224,228],"cta-box",{"href":222,"label":223},"/","Start Free Scan",[171,225,227],{"id":226},"automate-this-checklist","Automate This Checklist",[13,229,230],{},"Run npx checkyourvibe scan to automatically check many of these items in your codebase.",{"title":232,"searchDepth":233,"depth":233,"links":234},"",2,[235,236],{"id":173,"depth":233,"text":174},{"id":226,"depth":233,"text":227},"checklists","2026-02-03","Complete pre-deployment security checklist for web applications. 26 essential items to check before deploying your vibe-coded app to production.",false,"md",null,"green",{},true,"Complete pre-deployment security checklist. 26 essential items before going live.","/blog/checklists/pre-deployment-security-checklist","[object Object]","HowTo",{"title":5,"description":239},{"loc":247},"blog/checklists/pre-deployment-security-checklist",[254],"Security Checklist","summary_large_image","Vbbx4YaZwor_KyclxUdP1gplkJXO7PCKelfiGARGHQA",1775843918547]