Gorrion Production Readiness Checklist

Name	Level	Scope	Comment
The website is available via the client’s domain address with TLS and redirected to HTTPS from HTTP	Critical 🔴	Frontend 🖥, Security 🔒
The domain is redirected to the www subdomain	Critical 🔴	Frontend 🖥
The check on https://securityheaders.com/ gives at least a “B” grade	Critical 🔴	Frontend 🖥, Security 🔒
The backend is accessible via the client’s domain with TLS	Critical 🔴	Backend ⚙️, Security 🔒
The backend is accessible only from the client’s domains using CORS	Critical 🔴	Backend ⚙️, Security 🔒	Not possible with mobile apps
The JWT secret is safe and configured only on the server side	Critical 🔴	Backend ⚙️, Security 🔒
The app has an error-monitoring system configured	Critical 🔴	Backend ⚙️, Frontend 🖥, Monitoring 👀	Recommended: https://sentry.io
The app is deployed via the CI solution	Critical 🔴	Deployment 🚀, CI/CD 🤖
The app is hosted on a production-grade cloud solution	Critical 🔴	Deployment 🚀, Security 🔒	Recommended: AWS, Digital Ocean, Fly.io
The database is hosted on a production-grade solution	Critical 🔴	Deployment 🚀, Security 🔒	Recommended: AWS RDS, Digital Ocean Databases, Supabase, PlanetScale or similar
The system has backups enabled	Critical 🔴	Deployment 🚀, Security 🔒
CRON jobs should only be handled via one source of truth	Critical 🔴	Backend ⚙️, Deployment 🚀
All password related to the project should be shared via password manager only with corresponding group	Critical 🔴	Security 🔒, Deployment 🚀	Do not share password, secrets etc. in messages nor host them on git
The app should have a risk management and disaster recovery plan written down and available at any point	Critical 🔴	Monitoring 👀, Security 🔒, Deployment 🚀
The app has an uptime-monitoring system configured	Should have 🟡	Monitoring 👀, Backend ⚙️, Frontend 🖥	Leverage health checks. Recommended: https://instatus.com/ or https://betteruptime.com/
The app has a logging solution configured	Should have 🟡	Monitoring 👀, Backend ⚙️, Frontend 🖥	Recommended: AWS Cloudwatch or https://betterstack.com/logtail
The auto-scaling solution is enabled	Should have 🟡	Deployment 🚀, Backend ⚙️
The frontend should be checked periodically in terms of performance	Should have 🟡	Frontend 🖥	At least test Core Web Vitals via Chrome Lighthouse
Tests and audits should run in CI/CD pipelines	Should have 🟡	CI/CD 🤖, Security 🔒	Audit packages to limit CVEs, use SNYK CLI to check production docker images
There is a way to quickly check and deploy hot fixes to production	Should have 🟡	Deployment 🚀, CI/CD 🤖
The error messages on client don’t include stack traces	Nice to have 🟢	Deployment 🚀, Security 🔒, Frontend 🖥	Remove everything that can give attackers an attack surface
The app has versioning system enabled and has a change log	Nice to have 🟢	Deployment 🚀