[{"data":1,"prerenderedAt":225},["ShallowReactive",2],{"blog-checklists/production-checklist":3},{"id":4,"title":5,"body":6,"category":201,"date":202,"dateModified":203,"description":204,"draft":205,"extension":206,"faq":207,"featured":205,"headerVariant":210,"image":211,"keywords":211,"meta":212,"navigation":213,"ogDescription":214,"ogTitle":211,"path":215,"readTime":211,"schemaOrg":216,"schemaType":217,"seo":218,"sitemap":219,"stem":220,"tags":221,"twitterCard":223,"__hash__":224},"blog/blog/checklists/production-checklist.md","Production Launch Security Checklist: 18-Item Guide Before Going Live",{"type":7,"value":8,"toc":195},"minimark",[9,16,19,22,47,66,85,102,117,131,136,139,142,164,183],[10,11,12],"tldr",{},[13,14,15],"p",{},"Before going live: HTTPS everywhere, no exposed secrets, database security rules locked down, authentication tested, error handling that hides internals, and monitoring in place. 4 critical items must be fixed before launch, 8 important items within the first week, and 6 recommended items when you can. A breach on day one can kill your product before it starts.",[13,17,18],{},"You have been heads-down building for weeks, and now launch day is approaching. This is the checklist I wish someone had handed me before my first production deploy. Work through it top to bottom, fix the critical stuff before you flip the switch, and come back for the rest within your first week live.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Valid SSL certificate installed, all HTTP redirects to HTTPS","Enable HTTPS everywhere",[27,32],{"description":33,"label":34},"RLS enabled for Supabase, Security Rules for Firebase","Configure database security rules",[27,36],{"description":37,"label":38},"Scan codebase and repo history for API keys","Verify no exposed secrets",[27,40],{"description":41,"label":42},"Login, logout, password reset all working correctly","Test authentication flows",[27,44],{"description":45,"label":46},"No stack traces or database details exposed to users","Verify error pages hide internals",[23,48,51,54,58,62],{"title":49,"count":50},"Transport Security","4",[27,52],{"description":53,"label":30},"Valid SSL certificate installed. All HTTP redirects to HTTPS. No mixed content warnings. How to set up HTTPS",[27,55],{"description":56,"label":57},"Force browsers to always use HTTPS. Prevents SSL stripping attacks. How to configure HSTS","Configure HSTS header",[27,59],{"description":60,"label":61},"Cookies should have Secure, HttpOnly, and appropriate SameSite attributes. How to secure cookies","Set secure cookie flags",[27,63],{"description":64,"label":65},"Set calendar reminder for certificate renewal. Auto-renewal with Let's Encrypt is preferred. How to monitor SSL certificates","Verify certificate expiration",[23,67,69,73,77,81],{"title":68,"count":50},"Security Headers",[27,70],{"description":71,"label":72},"Prevent XSS by specifying allowed content sources. Start restrictive and loosen as needed. How to configure CSP","Set Content Security Policy",[27,74],{"description":75,"label":76},"Prevent clickjacking by controlling whether your site can be embedded in iframes. How to prevent clickjacking","Enable X-Frame-Options",[27,78],{"description":79,"label":80},"Prevent MIME type sniffing with nosniff directive. How to configure security headers","Set X-Content-Type-Options",[27,82],{"description":83,"label":84},"Control what referrer information is sent with requests. Protect user privacy. How to configure Referrer-Policy","Configure Referrer-Policy",[23,86,88,91,94,98],{"title":87,"count":50},"Data Security",[27,89],{"description":90,"label":34},"Firebase or Supabase rules locked down. Row-level security enabled. No open access. How to set up database security",[27,92],{"description":93,"label":38},"Scan codebase and repo history. Check environment variables are properly configured. How to secure API keys",[27,95],{"description":96,"label":97},"Encryption at rest should be enabled. Verify with your database provider. How to enable database encryption","Enable database encryption",[27,99],{"description":100,"label":101},"Daily backups configured. Test restoration process at least once before launch. How to set up backups","Set up automated backups",[23,103,106,109,113],{"title":104,"count":105},"Authentication and Input","3",[27,107],{"description":108,"label":42},"Login, logout, password reset, and session management all working correctly. How to test authentication",[27,110],{"description":111,"label":112},"Server-side validation on all forms. Never trust client-side validation alone. How to validate input","Validate all user input",[27,114],{"description":115,"label":116},"Protect authentication endpoints and APIs from brute force and abuse. How to implement rate limiting","Implement rate limiting",[23,118,120,124,128],{"title":119,"count":105},"Monitoring and Response",[27,121],{"description":122,"label":123},"Sentry, LogRocket, or similar. Know when errors happen before users report them. How to set up error monitoring","Set up error monitoring",[27,125],{"description":126,"label":127},"Get alerts when your site goes down. Free tools like UptimeRobot work for basics. How to set up uptime monitoring","Configure uptime monitoring",[27,129],{"description":130,"label":46},"Production errors should show friendly messages, not stack traces or database details. How to secure error pages",[132,133,135],"h2",{"id":134},"launch-day-is-not-the-time-to-discover-problems","Launch Day Is Not the Time to Discover Problems",[13,137,138],{},"A security incident during your launch can kill momentum and destroy user trust before you even get started. Every item on this list is something that has caused real problems for real startups. The hour spent checking them is worth far more than the days spent recovering from a breach.",[13,140,141],{},"Run through this checklist thoroughly. Have someone else verify critical items. Launch with confidence that you have covered the basics.",[143,144,145,152,158],"faq-section",{},[146,147,149],"faq-item",{"question":148},"What security checks are essential before going live?",[13,150,151],{},"At minimum: HTTPS with valid certificate, no exposed secrets, database security rules configured, authentication working correctly, input validation on all forms, and error handling that does not expose stack traces to users.",[146,153,155],{"question":154},"Should I get a security audit before launching?",[13,156,157],{},"A professional audit is ideal but expensive. For MVPs, use automated scanners, follow this checklist, and have a developer experienced in security review the code. Plan for a professional audit before scaling or raising funding.",[146,159,161],{"question":160},"What monitoring do I need for launch?",[13,162,163],{},"At minimum: error tracking (Sentry), uptime monitoring (UptimeRobot), and basic logging. Add application performance monitoring and security monitoring as you scale.",[165,166,167,173,178],"related-articles",{},[168,169],"related-card",{"description":170,"href":171,"title":172},"Before every deployment","/blog/checklists/pre-deployment-security-checklist","Pre-Deployment Checklist",[168,174],{"description":175,"href":176,"title":177},"Minimum viable security","/blog/checklists/mvp-security-checklist","MVP Security Checklist",[168,179],{"description":180,"href":181,"title":182},"Before accepting signups","/blog/checklists/first-users-checklist","First Users Checklist",[184,185,188,192],"cta-box",{"href":186,"label":187},"/","Start Free Scan",[132,189,191],{"id":190},"pre-launch-security-scan","Pre-Launch Security Scan",[13,193,194],{},"Catch security issues before your users do.",{"title":196,"searchDepth":197,"depth":197,"links":198},"",2,[199,200],{"id":134,"depth":197,"text":135},{"id":190,"depth":197,"text":191},"checklists","2026-02-04","2026-03-06","Security checklist for production launches. Complete these essential security checks before deploying your application to production and accepting real users.",false,"md",[208,209],{"question":148,"answer":151},{"question":154,"answer":157},"green",null,{},true,"Security checklist for production launches. Essential checks before going live.","/blog/checklists/production-checklist","[object Object]","HowTo",{"title":5,"description":204},{"loc":215},"blog/checklists/production-checklist",[222],"Security Checklist","summary_large_image","fJVN22BXFSj9zx4VPystEFq6JPixft8Ph26RguDvh_k",1775843930693]