Back to Playbook

Ship It! Pre-Launch Checklist

Ready to launch? This checklist ensures you've covered the essentials before going live. Every item matters - but don't let perfect be the enemy of shipped.

1Environment & Configuration

Audit Environment Variables

Check all env vars are set correctly in production.

  • • DATABASE_URL points to production database
  • • API keys are production values (not test mode)
  • • NODE_ENV=production (or equivalent)
  • • Secret keys are actually secret (not in git)
  • • Frontend API URLs point to production backend

Remove Debug/Dev Features

Disable development-only features that expose internals.

  • • Debug mode OFF
  • • Console.logs removed (or conditional)
  • • API debug endpoints disabled
  • • Test data seeding scripts won't run

CORS Configuration

Ensure CORS allows your frontend domain (and only your frontend).

Rate Limiting

Protect your API from abuse with rate limits on critical endpoints.

2Database & Data

Backup Strategy Confirmed

Verify automated backups are running.

  • • Daily automated backups enabled
  • • Know how to restore from backup
  • • Test restore process (seriously, test it)
  • • Backup retention policy set (7-30 days minimum)

Migrations Applied

All database migrations successfully run in production.

Connection Pooling

Database connections properly pooled to handle traffic spikes.

Seed Data / Initial Content

Production has necessary seed data (categories, settings, etc.).

Pro tip: Create a database snapshot right before launch. If something goes wrong, you can restore to this known-good state.

3Domain & SSL

Custom Domain Configured

Your domain points to production, not a .vercel.app or .railway.app URL.

  • • DNS records (A/CNAME) point to hosting platform
  • • www redirects to apex (or vice versa)
  • • DNS propagation complete (~24hrs max)

SSL Certificate Active

HTTPS enabled with valid SSL certificate (usually automatic).

HTTP → HTTPS Redirect

All HTTP traffic redirects to HTTPS automatically.

Email DNS Records (if applicable)

SPF, DKIM, DMARC set up if you're sending transactional emails.

4Monitoring & Error Tracking

Error Monitoring Setup

Know when things break before users tell you.

Recommended:

  • Sentry - Best for frontend + backend errors
  • LogRocket - Session replay + errors
  • BugSnag - Simpler alternative to Sentry

Uptime Monitoring

Get alerted if your site goes down.

Free options: UptimeRobot, Pingdom free tier, Better Stack (free tier)

Logging Strategy

Server logs accessible and searchable (Vercel logs, Railway logs, etc.).

Alert Notifications

Error alerts go to Slack, Discord, or email - somewhere you'll actually see them.

5Analytics & Tracking

Web Analytics Installed

Track visitors, pageviews, and user behavior.

Pick one:

  • Plausible - Privacy-friendly, simple ($9/mo)
  • Google Analytics 4 - Free, powerful, complex
  • Fathom - Like Plausible but different UI
  • Umami - Self-hosted, open source, free

Goal/Event Tracking

Track key actions: sign-ups, purchases, button clicks, form submissions.

Cookie Consent (if in EU)

GDPR requires cookie consent banners if you have EU users and use tracking cookies.

Hot take: Start with simple analytics (Plausible or Umami). You don't need Google Analytics' complexity on day 1.

6Performance Check

Run Lighthouse Audit

Chrome DevTools → Lighthouse. Aim for 90+ on Performance.

Image Optimization

Images are major performance killers. Check these:

  • • Using WebP or AVIF format where possible
  • • Images lazy-loaded below the fold
  • • Reasonable file sizes (<500KB each)
  • • Proper width/height attributes (prevents layout shift)

Critical Assets Cached

Static assets (CSS, JS, images) have cache headers set.

Database Query Performance

Slow queries identified and optimized (indexes added where needed).

7Security Essentials

Authentication Security

User auth properly secured.

  • • Passwords hashed (bcrypt, argon2, never plain text)
  • • Session tokens secure and HTTPOnly
  • • Password reset tokens expire
  • • Rate limiting on login attempts

SQL Injection Protected

Use parameterized queries or ORMs. Never concatenate user input into SQL.

XSS Protection

User input sanitized. React/Vue escape by default, but check raw HTML rendering.

Security Headers Set

Basic security headers configured:

  • • Content-Security-Policy
  • • X-Frame-Options (clickjacking protection)
  • • X-Content-Type-Options
  • • Strict-Transport-Security (HSTS)

Dependency Vulnerabilities

Run npm audit or equivalent. Fix high/critical issues.

Reality check: Perfect security doesn't exist. Focus on the basics above. You can always harden more later.

8Legal & Compliance

Privacy Policy

Required if you collect any user data. Use a generator (Termly, iubenda) if unsure.

Terms of Service

Covers your liability, user conduct, etc. Also generator-friendly.

Cookie Consent (GDPR/CCPA)

If EU users + cookies/tracking: you need a consent banner. Tools: Cookiebot, Termly, OneTrust.

Contact/Support Info

Users need a way to reach you. Email at minimum, support page better.

Not a lawyer: This is a checklist, not legal advice. If you're handling sensitive data or operating in regulated industries, consult an actual lawyer.

9Launch Day Timeline

You've done the work. Now ship it and celebrate!

T-1 Hour: Final Smoke Test

Click through critical flows one last time. Sign up, log in, main features.

T-30 Min: Check Monitoring

Error tracking receiving events? Uptime monitor active? Analytics working?

T-0: Launch

Share the link. Tweet it. Post it. Tell your friends. You built something - be proud!

Remember: Launching isn't the end, it's the beginning. You'll fix bugs, add features, and improve based on real user feedback. That's the fun part.

T+1 Hour: Monitor

Watch error logs, check analytics, make sure nothing's on fire.

T+24 Hours: Breathe

If you made it 24 hours without major issues, you did great. Take a break. You earned it.

Ready to ship?

You've got this. The world needs what you're building.

Back to Playbook