Skip to content

gorrion-io/production-readiness-checklist

Repository files navigation

Gorrion Production Readiness Checklist

Name Level Scope Comment
The website is available via the client’s domain address with TLS and redirected to HTTPS from HTTP Critical 🔴 Frontend 🖥, Security 🔒
The domain is redirected to the www subdomain Critical 🔴 Frontend 🖥
The check on https://securityheaders.com/ gives at least a “B” grade Critical 🔴 Frontend 🖥, Security 🔒
The backend is accessible via the client’s domain with TLS Critical 🔴 Backend ⚙️, Security 🔒
The backend is accessible only from the client’s domains using CORS Critical 🔴 Backend ⚙️, Security 🔒 Not possible with mobile apps
The JWT secret is safe and configured only on the server side Critical 🔴 Backend ⚙️, Security 🔒
The app has an error-monitoring system configured Critical 🔴 Backend ⚙️, Frontend 🖥, Monitoring 👀 Recommended: https://sentry.io
The app is deployed via the CI solution Critical 🔴 Deployment 🚀, CI/CD 🤖
The app is hosted on a production-grade cloud solution Critical 🔴 Deployment 🚀, Security 🔒 Recommended: AWS, Digital Ocean, Fly.io
The database is hosted on a production-grade solution Critical 🔴 Deployment 🚀, Security 🔒 Recommended: AWS RDS, Digital Ocean Databases, Supabase, PlanetScale or similar
The system has backups enabled Critical 🔴 Deployment 🚀, Security 🔒
CRON jobs should only be handled via one source of truth Critical 🔴 Backend ⚙️, Deployment 🚀
All password related to the project should be shared via password manager only with corresponding group Critical 🔴 Security 🔒, Deployment 🚀 Do not share password, secrets etc. in messages nor host them on git
The app should have a risk management and disaster recovery plan written down and available at any point Critical 🔴 Monitoring 👀, Security 🔒, Deployment 🚀
The app has an uptime-monitoring system configured Should have 🟡 Monitoring 👀, Backend ⚙️, Frontend 🖥 Leverage health checks. Recommended: https://instatus.com/ or https://betteruptime.com/
The app has a logging solution configured Should have 🟡 Monitoring 👀, Backend ⚙️, Frontend 🖥 Recommended: AWS Cloudwatch or https://betterstack.com/logtail
The auto-scaling solution is enabled Should have 🟡 Deployment 🚀, Backend ⚙️
The frontend should be checked periodically in terms of performance Should have 🟡 Frontend 🖥 At least test Core Web Vitals via Chrome Lighthouse
Tests and audits should run in CI/CD pipelines Should have 🟡 CI/CD 🤖, Security 🔒 Audit packages to limit CVEs, use SNYK CLI to check production docker images
There is a way to quickly check and deploy hot fixes to production Should have 🟡 Deployment 🚀, CI/CD 🤖
The error messages on client don’t include stack traces Nice to have 🟢 Deployment 🚀, Security 🔒, Frontend 🖥 Remove everything that can give attackers an attack surface
The app has versioning system enabled and has a change log Nice to have 🟢 Deployment 🚀