Checklist I Use Before Launching Any Client Website (Dev to Production)

Who this is for: Small business owners, freelancers, or agencies who want zero surprises on launch day.
What you’ll learn: My exact 7-phase checklist to deploy secure, fast websites without downtime or security gaps. I’ve used this for dozens of clients at Green Dwarf Tech, including static sites, React apps, and e-commerce platforms, among others.

Launching a website isn’t just uploading files and calling it done. One missed step, such as a weak secret or untested database migration, can result in downtime, hacks, or lost revenue. I’ve seen it happen.

That’s why every client site I deploy follows this pre-launch checklist. It’s battle-tested across Proxmox VMs, Nginx proxies, CyberPanel, and cloud VPS. Takes 2–4 hours, saves weeks of headaches.

Let’s break it down phase by phase.

Phase 1: Code & Tests (Local/Staging First)

No production deploy without green lights here. I run this on my dev machine and staging server (exact mirror of production).

Run full test suite: Unit, integration, E2E. For React/Node.js: npm test -- --coverage. Fix anything under 80% coverage.
Lint & format code: npm run lint && npm run format. Consistent code = fewer prod bugs.
Dependency audit: npm audit and npm outdated. Update non-breaking packages; pin breaking ones in package-lock.json.
Build & smoke test: npm run build && npm start. Check console, load every page, test forms/submissions.

Pro tip: Staging must match prod exactly—same Node version, PHP if used, even OS. I snapshot my Proxmox VM here for rollback.

Phase 2: Environment & Secrets (Zero Hardcoding)

Secrets in code = disaster. I never commit them.

Set environment variables: Database creds, API keys, SMTP in .env.prod. Use tools like CyberPanel’s env manager or Docker secrets. Validate with dotenv-cli.
Rotate secrets: Generate fresh API keys, DB passwords. Test connections (e.g., mysql -u prod_user -p).
Remove dev leftovers: No console.log(), debug flags, or sample data. Grep your repo: grep -r "console.log\|TODO" dist/.

Example .env.prod snippet (never share yours):

DB_HOST=localhost

DB_PASS=superstrongpass123!

JWT_SECRET=your-512bit-random-string

Phase 3: Security Hardening (My Cybersecurity Edge)

Security isn’t optional; it’s table stakes. I layer defences before DNS even points live.

SSL/TLS setup: Free Let’s Encrypt via CyberPanel/Nginx. Force HTTPS redirects, HSTS headers. Test with SSL Labs.
Firewall & ports: UFW/iptables: Open only 80/443, SSH (key-only, no pass). Close everything else. Rate-limit brute force.
Headers & CSP: Nginx: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Content-Security-Policy. Block XSS/CSRF.
Scan for vulns: Nikto, Nuclei, or free OWASP ZAP. Fix medium+ issues. No open directories (robots.txt, .htaccess).
User cleanup: Delete demo accounts. Strong, unique admin pass + 2FA.

Phase 4: Performance & Backups (Uptime Guaranteed)

Fast + reliable = happy clients.

Optimise assets: Images via TinyPNG, minify JS/CSS (Vite does this), lazy-load. Lighthouse score >90 mobile/desktop.
Caching setup: Nginx fastcgi_cache for dynamic, browser cache for static. CDN for global traffic.
Full backups: Database dump (mysqldump), files via rsync to TrueNAS. Test restore on a fresh VM. Offsite copy.
Database prep: Run migrations, seed production data if needed. Vacuum/optimise indexes.

Phase 5: Monitoring & Alerts (Catch Issues Early)

I don’t “set it and forget it.” Monitoring is always on.

Uptime hooks: UptimeRobot or CyberPanel monitor. Alert on 5min downtime.
App monitoring: New Relic/Prometheus for CPU/RAM/errors. Log aggregation (ELK or filebeat to TrueNAS).
Custom alerts: Slack/Telegram for 500 errors, high latency, or failed cron jobs.
Load test: Artillery or Loader.io: Simulate 100 – 500 users. Tweak if >2s response.

Phase 6: Final Prod Deploy & Verify

Go time. Blue-green if high-traffic (swap Nginx upstreams).

Deploy script: Automated via GitHub Actions or shell: pull code, npm ci –prod, migrate DB, restart PM2/Nginx.
Post-deploy checks: Curl every endpoint, browser test mobile/desktop, incognito forms. Check logs: tail -f /var/log/nginx/error.log.
SEO basics: XML sitemap submitted to Google and other search engines, robots.txt, and meta tags verified.

Phase 7: Handoff & Post-Launch (Client Wins)

Client demo: Walkthrough, share admin creds (via Bitwarden), monitoring dashboard link.
Docs: One-pager: login URLs, update process, who to call (me! or my team!).
7-day check: I monitor the first week, tweak as needed. Free.

Rollback Plan (Because Murphy’s Law)

If the smoke test fails post-deploy:

Restore from backup snapshot (5min).
Revert Nginx upstream or DB rollback.
Push known-good tag.

I’ve rolled back twice, once for a bad npm dep. Caught in 3 minutes.

Why This Checklist Works for Your Business

It blends speed (static sites fly), security (my pentest background), and reliability (Proxmox/TrueNAS backbone). Clients get 99.9% uptime, PCI-ready if needed, and peace of mind.

Used it for a local e-com site: Launch to ₹10k/mo sales in week 1, zero incidents.

Ready to launch yours? Drop me a line at Green Dwarf Tech. I’ll run this checklist so you don’t have to.