Production Security Checklist: 20 Things Before You Go Live

Going live with a security gap is far more expensive than finding it beforehand. This checklist covers the 20 most important security checks across authentication, secrets, networking, dependencies, and monitoring. Run through it before every major launch — and use it to audit existing production systems.

Authentication & Authorization

1. HTTPS enforced everywhere

All traffic must be over TLS. No exceptions. Verify HSTS is set:

curl -I https://yourapp.com | grep Strict-Transport
# Expected: Strict-Transport-Security: max-age=31536000

2. Passwords hashed with bcrypt or Argon2

const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12); // cost factor 12+

Never use MD5, SHA1, or unsalted hashes.

3. JWTs have short expiry and are verified correctly

jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
// Reject tokens without explicit algorithm check

4. Authorization checked on every API endpoint

Every route must verify the authenticated user has permission — not just the UI.

5. Rate limiting on auth endpoints

const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 10 });
app.use('/api/auth', authLimiter);

Secrets & Configuration

6. No secrets in source code or git history

git log --all --full-history -- "*.env" | head
git secrets --scan-history

If anything surfaces, rotate immediately.

7. Production secrets stored encrypted

Use a secrets manager or platform-level encrypted environment variables. On PandaStack:

npm install -g @pandastack/cli
panda env:set DATABASE_URL="postgresql://..." --app my-app

8. Different secrets for each environment

Production keys must never be used in development or staging.

9. .env in .gitignore, .env.example committed instead

cat .gitignore | grep ".env"
# Should output: .env

Input & Output

10. All user input validated and sanitized

Use validation libraries. Reject unknown fields. Validate type, length, and format.

11. Parameterized queries for all database operations

// Always
db.query('SELECT * FROM users WHERE email = $1', [email]);
// Never
db.query(`SELECT * FROM users WHERE email = '${email}'`);

12. API responses contain only necessary fields

Never return password hashes, internal IDs, or admin flags to end users. Explicitly select fields in responses.

13. Security headers set

const helmet = require('helmet');
app.use(helmet());

Verify with:

curl -I https://yourapp.com | grep -E "X-Content|X-Frame|Content-Security"

Infrastructure & Networking

14. Databases not exposed to the public internet

# Check if database port is reachable publicly
nmap -p 5432 your-db-host.com
# Should timeout or be refused

PandaStack databases are deployed in private networks by default — no public endpoint is created.

15. Container not running as root

RUN adduser -D appuser
USER appuser

Verify: docker inspect my-app | jq '.[0].Config.User'

16. Resource limits set on containers

docker inspect my-app | jq '.[0].HostConfig.Memory'
# Should not be 0 (unlimited)

Dependencies & Code

17. No high/critical vulnerabilities in dependencies

npm audit --audit-level=high

Fix or document accepted risks before launch.

18. Dependencies pinned to specific versions

// package.json — no ^ or ~ for production deps
"express": "4.18.2"

Monitoring & Response

19. Logging and monitoring active

Verify logs are being collected and you can query them. Set up alerts for:

Error rate spikes
Authentication failures
Unexpected traffic patterns

PandaStack provides built-in monitoring and alerting for all deployments. Configure at [dashboard.pandastack.io](https://dashboard.pandastack.io).

20. Incident response plan documented

Before you go live, answer:

Who do you call at 2am when the site is down?
How do you rotate a compromised secret in under 15 minutes?
Where is your runbook?

# Test your runbook: practice rotating a secret
panda env:set JWT_SECRET="$(openssl rand -base64 32)" --app my-app
panda deploy --app my-app
# Verify app restarts and works correctly

Running the Full Checklist with PandaStack

PandaStack handles several of these items out of the box: private networking for databases, encrypted secrets, container resource configuration, and built-in monitoring. Focus your pre-launch effort on application-layer items — authentication, input validation, and dependency audits.

npm install -g @pandastack/cli
panda login
panda deploy --image my-app:latest --region us-east

Full platform documentation at [docs.pandastack.io](https://docs.pandastack.io).

Summary

Use this checklist before every production launch. HTTPS, hashed passwords, short-lived tokens, authorization on every endpoint, rate limiting, no secrets in code, encrypted environment variables, input validation, parameterized queries, security headers, private databases, non-root containers, dependency auditing, monitoring, and an incident response plan. All 20. Every time.

Production Security Checklist: 20 Things Before You Go Live