Skip to main content

Production Readiness

Getting code to run on your machine is one thing. Deploying it to production safely is another. This section covers what you need to know before shipping AI-assisted code to real users.

The Production Readiness Checklist

Backups

  • Database backups are configured and tested
  • Backup frequency matches your recovery point objective (RPO)
  • Backups are stored in a separate location from production data
  • Backup restoration has been tested recently
  • File storage (S3, etc.) has versioning enabled

Monitoring

  • Application performance monitoring (APM) is configured
  • Error tracking is set up (Sentry, etc.)
  • Server metrics are collected (CPU, memory, disk, network)
  • Database query performance is monitored
  • Custom business metrics are tracked
  • Uptime monitoring is configured
  • Alert thresholds are defined and tested

Logging

  • Structured logging is implemented (JSON format)
  • Log levels are appropriate (info, warn, error)
  • Sensitive data is never logged (passwords, tokens, PII)
  • Logs are centralized and searchable
  • Log retention policy is defined
  • Logs are accessible for debugging but secured from unauthorized access

HTTPS and SSL/TLS

  • HTTPS is enforced for all traffic
  • SSL/TLS certificates are auto-renewing (Let's Encrypt)
  • HTTP requests redirect to HTTPS
  • HSTS headers are configured
  • TLS version 1.2 or higher is enforced

Error Handling

  • Custom error pages are configured (404, 500, etc.)
  • Errors are logged with sufficient context
  • Stack traces are never exposed to users
  • API errors return consistent, structured responses
  • Graceful degradation is implemented for external service failures
  • Retry logic with exponential backoff is implemented where appropriate
// GOOD: Structured error response
app.use((err, req, res, next) => {
  console.error({
    message: err.message,
    stack: err.stack,
    path: req.path,
    method: req.method,
    timestamp: new Date().toISOString()
  });
  
  res.status(err.status || 500).json({
    error: {
      code: err.code || 'INTERNAL_ERROR',
      message: err.status === 500 ? 'An unexpected error occurred' : err.message
    }
  });
});

Database Migrations

  • Migrations are version-controlled
  • Migrations are tested in staging before production
  • Rollback scripts are available for each migration
  • Migrations are run as part of the deployment process
  • Zero-downtime migration strategies are used for large tables
  • Database schema changes are reviewed for performance impact

Rollback Plans

  • Deployment process includes a rollback strategy
  • Previous working version can be redeployed quickly
  • Database migrations have rollback scripts
  • Rollback procedure is documented and tested
  • Feature flags are available to disable problematic features
  • Privacy policy is published and accessible
  • Terms of service are in place
  • Cookie consent is implemented (if applicable)
  • Data retention policies are defined
  • GDPR/CCPA compliance requirements are addressed
  • User data export and deletion capabilities exist
  • Third-party data processing agreements are in place

Dependency Management

  • Dependencies are pinned to specific versions
  • Lock files are committed to version control
  • Regular dependency audits are performed
  • Automated vulnerability scanning is configured (Dependabot, Snyk)
  • Outdated dependencies are updated promptly
  • Unused dependencies are removed
# Check for vulnerable dependencies
npm audit
# or
composer audit
# or
pip-audit

Performance

  • Database queries are optimized (indexes, N+1 queries)
  • Caching is implemented where appropriate (Redis, CDN)
  • Asset bundling and minification is configured
  • Image optimization is in place
  • API response times are within acceptable ranges
  • Load testing has been performed
  • Database connection pooling is configured

Security Headers

# Security headers to configure
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

CI/CD Pipeline

  • Automated tests run on every pull request
  • Code quality checks are automated (linting, formatting)
  • Security scanning is part of the pipeline
  • Build artifacts are versioned
  • Deployment is automated (no manual steps)
  • Staging environment mirrors production
  • Smoke tests run after deployment

Pre-Deployment Review

Before deploying AI-generated code to production, ask yourself:

  1. Do I understand what every line of this code does?
  2. Have I tested the edge cases?
  3. Is error handling comprehensive?
  4. Are there any security vulnerabilities?
  5. Will this scale under load?
  6. Can I roll back if something goes wrong?
  7. Is this code maintainable by someone else?

Post-Deployment Monitoring

After deploying, watch for:

  • Error rates — Are errors increasing?
  • Response times — Is performance degraded?
  • Resource usage — Are CPU/memory/disk usage normal?
  • User reports — Are users experiencing issues?
  • Security alerts — Any suspicious activity?

Production readiness isn't a checkbox — it's a mindset. Every deployment should be approached with the same care, whether the code was written by a human or generated by AI.

Last updated on