Use this checklist before deploying to production.
- Server provisioned (minimum 2GB RAM, 2 CPU cores, 20GB storage)
- Operating system updated (
sudo apt update && sudo apt upgrade) - Firewall configured (UFW or iptables)
- SSH key-based authentication enabled
- Root login disabled
- Fail2ban installed and configured
- Time zone configured correctly
- NTP service running
- PostgreSQL 14+ installed
- Redis 6+ installed
- Rust toolchain installed
- Required system libraries installed
- SSL certificates obtained (Let's Encrypt)
- Reverse proxy configured (Nginx/Apache)
- Production database created
- Dedicated database user created with strong password
- Database privileges properly configured
- Migrations applied successfully
- Database extensions enabled (pgcrypto, pg_stat_statements)
- Connection pooling configured
- PostgreSQL optimized for production workload
- Database password is strong (32+ characters)
- Database accessible only from localhost
- pg_hba.conf configured for md5 authentication
- Database user has minimal required privileges
- Superuser access restricted
- Backup directory created with proper permissions
- Backup script tested and working
- Automated daily backups configured (cron)
- Backup retention policy defined (7-30 days)
- Backup restoration tested successfully
- Off-site backup configured (S3, etc.)
- Backup monitoring/alerting set up
- Release binary built (
cargo build --release) - Binary tested locally
- All tests passing (
cargo test) - No compilation warnings addressed
- Dependencies audited (
cargo audit) - Binary size optimized (strip enabled)
-
.env.productionfile created - All required environment variables set
- API keys configured (Paystack, etc.)
- Database URL correct
- Redis URL correct
- Stellar network set to mainnet
- Log level set appropriately (info/warn)
- File permissions set correctly (600 for .env)
- Systemd service file created
- Service file installed in /etc/systemd/system/
- Service enabled to start on boot
- Service starts successfully
- Service restarts on failure
- Service logs to journald
- Service runs as non-root user
- All secrets stored in environment variables
- No secrets in code or git repository
- Input validation implemented
- SQL injection prevention (parameterized queries)
- XSS prevention
- CSRF protection
- Rate limiting implemented
- Request size limits configured
- Firewall rules configured
- Only necessary ports open (22, 80, 443)
- SSL/TLS certificates installed
- HTTPS enforced
- Security headers configured
- DDoS protection considered
- Strong passwords enforced
- SSH key-based authentication only
- Sudo access limited
- Database access restricted
- API authentication implemented
- Authorization checks in place
- Health check endpoint working
- Request logging enabled
- Error logging configured
- Performance metrics collected
- Slow query logging enabled
- Memory usage monitored
- CPU usage monitored
- Connection count monitored
- Query performance tracked
- Slow queries logged
- Database size monitored
- Replication lag monitored (if applicable)
- Cache hit ratio tracked
- Critical error alerts configured
- Disk space alerts set up
- Memory alerts configured
- Database connection alerts
- Backup failure alerts
- Service down alerts
- Load testing completed
- Response times acceptable (<200ms for most endpoints)
- Concurrent user capacity tested
- Memory leaks checked
- Connection pooling optimized
- Caching strategy implemented
- Indexes created on frequently queried columns
- Query plans analyzed (EXPLAIN ANALYZE)
- Slow queries optimized
- Database statistics updated
- Vacuum strategy configured
- Connection limits appropriate
- Service auto-restart configured
- Database replication considered
- Load balancing considered (if needed)
- Failover strategy defined
- Recovery time objective (RTO) defined
- Recovery point objective (RPO) defined
- Backup restoration tested
- Rollback procedure documented
- Emergency contacts documented
- Incident response plan created
- Data retention policy defined
- Disaster recovery plan tested
- API documentation complete
- Database schema documented
- Deployment guide written
- Configuration guide created
- Troubleshooting guide available
- Architecture diagram created
- Runbook created
- Monitoring guide written
- Backup/restore procedures documented
- Incident response procedures documented
- Maintenance procedures documented
- Contact information updated
- All features tested in production-like environment
- Integration tests passing
- End-to-end tests passing
- Payment flows tested
- Error handling tested
- Edge cases covered
- Load testing completed
- Stress testing completed
- Security testing completed
- Performance testing completed
- Backup/restore tested
- Failover tested
- Terms of service reviewed
- Privacy policy reviewed
- Data protection compliance (GDPR, etc.)
- Payment compliance (PCI DSS if applicable)
- License compliance checked
- Third-party agreements reviewed
- Security audit completed
- Code review completed
- Dependency audit completed
- Access logs enabled
- Audit trail implemented
- Compliance documentation ready
- Deployment procedure documented
- Rollback procedure tested
- Zero-downtime deployment strategy
- Database migration strategy
- Feature flags implemented (if needed)
- Canary deployment considered
- Maintenance window defined
- Update procedure documented
- Monitoring during maintenance
- Communication plan for downtime
- Maintenance checklist created
- Post-maintenance verification
- Team trained on deployment
- Team trained on monitoring
- Team trained on troubleshooting
- Team trained on incident response
- Documentation reviewed by team
- On-call rotation defined
- Stakeholders informed
- Launch date communicated
- Support channels established
- Escalation path defined
- Status page set up (if needed)
- Communication templates prepared
- All checklist items completed
- Production environment matches staging
- DNS records configured
- SSL certificates valid
- Monitoring dashboards set up
- Alerts tested
- Backup verified
- Team ready
- Technical lead approval
- Product owner approval
- Security team approval
- Operations team approval
- All critical issues resolved
- Launch criteria met
- Monitor error rates
- Monitor response times
- Monitor resource usage
- Check backup completion
- Verify all features working
- Address any critical issues
- Review performance metrics
- Analyze user feedback
- Optimize based on real usage
- Address non-critical issues
- Update documentation
- Team retrospective
- Performance review
- Security review
- Cost optimization
- Capacity planning
- Process improvements
- Lessons learned documentation
Technical Lead: _________________ Date: _______
Operations Lead: _________________ Date: _______
Security Lead: _________________ Date: _______
Product Owner: _________________ Date: _______
Use this space for additional notes, exceptions, or special considerations:
[Your notes here]