Production Readiness Checklist: The 45 Things to Check Before Launching Your SaaS
Security scans find vulnerabilities. This checklist finds everything else that will break when real users show up — and it cross-references your answers against your actual app so you can't lie to yourself.
The Problem with Most Pre-Launch Checklists
Every SaaS founder has a pre-launch checklist. It lives in a Notion doc, a Google Sheet, or a GitHub issue. You tick things off as you go. "Security headers — done. Rate limiting — done. Privacy policy — done."
But here's the problem: checklists are self-reported. You check a box because you think you did it, or because you planned to do it, or because you did it on staging but not production. There's no verification step.
A security scan won't catch this either. Scans find vulnerabilities — missing CSP, exposed secrets, SQL injection. They don't tell you if your 404 page is styled, if your database backups are actually running, or if your cookie consent banner works on mobile Safari.
That's where production readiness comes in.
Two Scores, One Truth
Vezraa's Production Readiness feature uses a two-signal system. It shows you two scores side by side:
- Verified Score — what our scanner actually detected about your app. This is objective. Did we find security headers? Is HTTPS enforced? Are API keys exposed in your JS bundles? The scanner doesn't guess.
- Your Answers Score — what you've told us you've done. This is a 45-item checklist across 10 categories. You check the boxes for things you've implemented.
When these two scores match, you have ground truth. When they don't — and they often don't — we surface the contradictions so you can investigate before launch.
The 45-Item Checklist
We organized the checklist into 10 categories. Every item is a concrete yes/no — no "improve security" ambiguity. Here's what we check:
Security (8 items)
Custom domain with HTTPS, production API keys (no sandbox), security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), rate limiting on login endpoints, CSRF protection on state-changing requests, session timeout configuration, CORS properly restricted, and no hardcoded secrets in client-side code.
The scanner can verify 6 of these 8 items automatically.
Auth & Identity (5 items)
Login with a fresh account end-to-end, password reset flow, OAuth/SSO provider integration (Google, GitHub), account deletion flow (GDPR requirement), and MFA/2FA availability for sensitive actions.
Some of these are hard to verify automatically — but the checklist ensures you've at least thought about them.
Payments (4 items)
Full purchase flow end-to-end (real card in staging, webhook fires, feature unlocks), webhook signature verification (critical — unverified webhooks can be replayed by attackers), refund flow tested, and graceful handling of failed payments (expired card, insufficient funds).
Email (3 items)
Transactional email sending from your real domain (not noreply@gmail.com), SPF/DKIM/DMARC DNS records configured (without these, your emails go to spam), and production-ready email templates (no placeholder text or broken images).
Legal & Compliance (5 items)
Privacy policy page that reflects your actual data practices, terms of service covering billing and liability, cookie consent banner blocking non-essential cookies until consent (GDPR/ePrivacy), GDPR data rights (export + deletion), and an accessibility statement.
Reliability (6 items)
Error tracking (Sentry, LogRocket, or similar), uptime monitoring (BetterStack, UptimeRobot), database backups with a tested restore procedure, graceful degradation when downstream services fail (Stripe, Supabase, email), custom styled 404 and 500 pages, and structured logging.
CI/CD & Deployment (4 items)
Automated deployment pipeline (push to main → tests run → deploy), staging environment that mirrors production, tested rollback procedure (can you revert in under 5 minutes?), and automated database migrations with rollback scripts.
Performance (3 items)
Lighthouse scores at 90+ on Performance, Accessibility, Best Practices, and SEO; optimized images (Next.js Image, WebP/AVIF, lazy loading); and controlled JS bundle size (code splitting, tree shaking).
UX & Frontend (4 items)
Mobile tested on iPhone Safari and Android Chrome, loading states and empty states for every async operation, no test/demo data visible to real users, and favicon/PWA icons set for browser tabs and home screens.
Visibility & SEO (3 items)
Analytics set up (Plausible, PostHog, GA4, or similar), SEO fundamentals (unique title, meta description, canonical URL, heading hierarchy), and Open Graph / Twitter Card preview for social shares.
Where the Scanner Comes In
The checklist is useful on its own — 45 items is a lot to remember. But the real power is in the cross-referencing.
Vezraa runs a full scan of your deployed app (2,100+ checks across 75+ categories) and compares the results against your checklist answers. For 30 of the 45 items, the scanner has direct evidence:
- You checked "Security headers are set" but the scanner found no HSTS header? Red badge: Scanner disagrees.
- You didn't check "Rate limiting is configured" and the scanner sent 15 rapid requests and never got a 429? The item stays unchecked with a "Fix it" link to the finding.
- You checked "Privacy policy page exists" and the scanner found it at /privacy? Green badge: Verified by scanner.
Items the scanner can't verify (like "Tested login with a fresh account" or "Refund flow tested") get no badge — they stay as self-reported. But the ones it can verify become objective measurements. No more guessing.
From Checking Boxes to Shipping
The goal isn't to check all 45 boxes. It's to get to a state where the Verified Score and Your Answers Score are both 80+, and zero blockers remain.
When you open the Production Readiness page, you see a prioritized "Next 3 Actions" panel at the top — blockers first, then scanner contradictions. Each item with a contradiction has a Fix it button that takes you straight to the scan finding with the fix prompt.
Fix what's actionable. Re-scan to verify. Watch the sparkline trend up over time. When the banner flips green — "Ready to Launch" — you have objective evidence, not just a checked Notion doc.
Getting Started
If you already have a Vezraa account, the Production Readiness page is in your dashboard under Monitor → Production Ready. If you haven't scanned your app yet, run a scan first — the cross-referencing needs scan data to work.
If you don't have an account yet, it takes 25 seconds and one URL. No installs, no API keys, no repo access.
Ship with confidence. Check your production readiness in 25 seconds.
Scan Your App →