Safe Deployment Checklist
Before you deploy your app — or any new feature — go through this checklist.
Each item is something that AI-generated code commonly gets wrong. Checking these before deployment will catch the majority of problems that cause production incidents.
Security Checks
- Authentication required — Are all pages/endpoints that should be protected actually protected?
- Data isolation — Can users only see their own data? Test by creating two accounts and trying to access each other's data.
- SQL injection — Are all database queries using parameterized statements or an ORM? Test by typing
' OR '1'='1into form fields. - Hardcoded secrets — Are there any API keys, database passwords, or tokens in the code? Search for
sk_live_,password=,secret,api_key. - Environment variables — Are all secrets loaded from environment variables, not hardcoded?
- HTTPS — Is HTTPS enforced? Does HTTP redirect to HTTPS?
- Rate limiting — Is there rate limiting on login, registration, forms, and API endpoints?
- Input validation — Are all user inputs validated on the server side (not just client side)?
- File upload safety — If your app accepts file uploads, are they validated for type, size, and stored securely?
- Error messages — Do error messages avoid revealing technical details (stack traces, database info, file paths)?
- Session security — Do sessions expire after inactivity? Are session tokens secure?
- CORS configuration — Is CORS configured to only allow your domain?
Data Protection Checks
- Privacy policy — Is a privacy policy published and accessible?
- Terms of service — Are terms of service published and accessible?
- Cookie consent — If you use cookies, is there a consent banner?
- Data encryption — Is sensitive data encrypted in the database?
- Data retention — Do you have a policy for how long data is kept?
- Data deletion — Can users request deletion of their data?
- Data export — Can users export their data?
- Backups — Are automated backups configured and tested?
- Backup storage — Are backups stored separately from the production server?
Infrastructure Checks
- Environment variables — Are all required environment variables set in the production environment?
- Database migration — Is the database schema up to date? Have migrations been tested?
- SSL certificate — Is the SSL certificate valid and set to auto-renew?
- Domain configuration — Is the domain pointed to the correct server?
- DNS records — Are DNS records configured correctly (A records, CNAME, MX if needed)?
- CDN configuration — If using a CDN, is it configured correctly?
- Caching — Is caching configured appropriately? (Don't cache sensitive data.)
- File permissions — Are file permissions set correctly on the server?
- Upload directories — Do upload directories exist and have correct permissions?
Monitoring Checks
- Error tracking — Is error tracking (Sentry or similar) installed and working?
- Uptime monitoring — Is uptime monitoring configured?
- Alerts — Are alerts configured to notify you of errors and downtime?
- Logging — Is application logging configured? Are logs accessible?
- Performance monitoring — Is basic performance monitoring in place?
Testing Checks
- Happy path — Does the main flow work? (Sign up → use feature → log out → log in again)
- Error path — What happens when things go wrong? (Database down, invalid input, network error)
- Edge cases — Have you tested with empty data, very large data, special characters?
- Mobile — Does the app work on mobile devices?
- Different browsers — Does the app work on Chrome, Firefox, Safari?
- Load testing — Have you tested with multiple concurrent users? (Even 2-3 can reveal issues.)
- Rollback test — Have you tested the rollback process?
Deployment Process Checks
- Deployment script — Is the deployment process automated or documented?
- Rollback plan — Is there a documented rollback plan? Has it been tested?
- Staging environment — Have you deployed to a staging environment first?
- Database migrations — Are migrations run as part of the deployment? Can they be rolled back?
- Environment parity — Is the production environment as similar as possible to staging/development?
- Maintenance mode — Do you have a way to show a maintenance page during deployment?
- Notification — Have you told any stakeholders about the deployment?
Post-Deployment Checks
- Smoke test — After deployment, manually test the critical paths.
- Monitor errors — Watch error tracking for the first hour after deployment.
- Monitor performance — Check that response times haven't increased.
- Check backups — Verify that backups are still running after the deployment.
- User feedback — Ask early users if they notice any issues.
- Documentation — Update any documentation that changed with this deployment.
Quick Pre-Deployment Checklist (Printable)
Print this and go through it before every deployment:
□ Authentication required on protected pages
□ Users can only see their own data
□ No SQL injection vulnerabilities
□ No hardcoded secrets
□ HTTPS is enforced
□ Rate limiting is in place
□ Input validation on server side
□ Error messages are user-friendly
□ Privacy policy is published
□ Backups are configured and tested
□ Error tracking is working
□ Uptime monitoring is configured
□ Rollback plan is documented
□ Staging deployment was successful
□ Critical paths have been tested
The Bottom Line
A deployment without a checklist is a gamble.
This checklist might look long, but most items take seconds to verify once you know what to look for. The time you spend checking this list before deployment is nothing compared to the time you'll spend fixing a production incident that could have been prevented.
Print it out. Keep it by your desk. Use it every time.