├── .gitignore ├── README.md ├── serverside-checklist.md ├── sources.md └── spa-checklist.md /.gitignore: -------------------------------------------------------------------------------- 1 | .idea -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # going-to-production 2 | 3 | Are you wondering "What should I do before moving my project to production?". 4 | Here is a list of things you want to address before hitting the road: 5 | 6 | * [Serverside Checklist](serverside-checklist.md) 7 | * [SPA Checklist](spa-checklist.md) 8 | 9 | ---- 10 | * [Useful Sources](sources.md) 11 | -------------------------------------------------------------------------------- /serverside-checklist.md: -------------------------------------------------------------------------------- 1 | # Serverside checklist 2 | 3 | This is a checklist for serverside of the Web App. 4 | 5 | ## Legal 6 | 7 | - [ ] Licences of my application's 3rd-party dependencies are not violated 8 | - [ ] My application does not violate cryptography policies and laws 9 | - [ ] My app is compliant according to the organisation standards 10 | 11 | ## Resiliency 12 | 13 | * [ ] My application can retain reasonable functionality in isolation 14 | * [ ] My application can recover from being under heavy load 15 | * [ ] My application can reestablish all lost connections 16 | * [ ] My application can not cause Cascading Failures to propagate through the system 17 | 18 | ## Load balancing 19 | 20 | * [ ] My project can run on multiple CPUs 21 | * [ ] My project can run behind the load balancer 22 | * [ ] I can add a new node without system downtime 23 | 24 | ## Transparent deployment 25 | 26 | * [ ] I can add a new node without stopping the application 27 | * [ ] I can add a new node without user sessions being lost/destroyed 28 | * [ ] I can make a rolling upgrades for my service 29 | 30 | ## Supervising 31 | 32 | * [ ] My application can survive a server restart 33 | * [ ] My application is restarted automatically after the crash 34 | 35 | 36 | ## Logging 37 | 38 | * [ ] My application logs all errors (even "swallowed") 39 | * [ ] My application produces log output to rotated files 40 | * Streams with different log levels are separated from each other 41 | 42 | * [ ] My logs are aggregated to a log analysing service 43 | 44 | 45 | ## Monitoring 46 | 47 | * [ ] I have configured the alerts for abnormal activity 48 | 49 | * Application restart events 50 | * Error rate threshold reached 51 | * Server resources are soon to be exhausted (CPU, memory, IO > 90%) 52 | * HTTP requests timeouts 53 | * HTTP responses with 500 status codes 54 | 55 | * [ ] I have health checks for all parts of my system 56 | 57 | 58 | ## Metrics 59 | 60 | * [ ] I can observe different events from my app over time 61 | 62 | * Number of requests for endpoints 63 | * Duration of requests for endpoints 64 | * Duration of business-logic operations 65 | 66 | 67 | ## High Availability 68 | 69 | * [ ] I can run my services in different independent Data Centers 70 | 71 | 72 | ## Testing 73 | 74 | * [ ] I have performed stress tests for my application 75 | * [ ] I have performed network partitioning tests for my application 76 | 77 | 78 | ## Backuping 79 | 80 | * [ ] I can restore all my data from backups 81 | 82 | 83 | ## Security 84 | 85 | * [ ] I have audited my system against OWASP Top 10 Vulnerabilities 86 | * [ ] I use TLS for all endpoints 87 | * [ ] I have added relevant security headers to app HTTP endpoints 88 | 89 | * `X-Frame-Options` 90 | * `X-Content-Type-Options` 91 | * `Content-Security-Policy` 92 | * `X-XSS-Protection` 93 | * `Strict-Transport-Security` 94 | * `Public-Key-Pins` 95 | -------------------------------------------------------------------------------- /sources.md: -------------------------------------------------------------------------------- 1 | # Sources 2 | 3 | ## Backend 4 | 5 | 1. [12 factor applications](http://12factor.net/) 6 | 1. [Production Quality NodeJS Applications](http://caines.ca/blog/2014/06/01/production-quality-node-dot-js-web-apps-part-i/) 7 | 1. [OWASP Top 10 Vulnerabilities Report](http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf) 8 | 1. [AWS Security Best Practices](https://aws.amazon.com/whitepapers/aws-security-best-practices/) 9 | 1. [Hardening Your HTTP Security Headers](https://www.keycdn.com/blog/http-security-headers/) 10 | 1. [Monitoring 101](https://www.datadoghq.com/blog/monitoring-101-collecting-data/) 11 | 1. [Making CSP Great Again](https://speakerdeck.com/mikispag/making-csp-great-again-michele-spagnuolo-and-lukas-weichselbaum) 12 | 1. [HTTPS Everywhere FAQ](https://www.eff.org/https-everywhere/faq) 13 | 1. [Blue-Green Deployment](https://martinfowler.com/bliki/BlueGreenDeployment.html) 14 | 1. [Using Blue-Green Deployment to Reduce Downtime and Risk](https://docs.cloudfoundry.org/devguide/deploy-apps/blue-green.html) 15 | 16 | ## Frontend 17 | 18 | 1. [Deploying Javascript Applications](https://alexsexton.com/blog/2013/03/deploying-javascript-applications/) 19 | 1. [Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites](http://seclab.stanford.edu/websec/framebusting/framebust.pdf) 20 | -------------------------------------------------------------------------------- /spa-checklist.md: -------------------------------------------------------------------------------- 1 | # Single Page App Checklist 2 | 3 | This is a checklist for browser-based Web App **without the backend** or with a 3rd-party backend. 4 | 5 | ## Legal 6 | 7 | - [ ] Licences of my app's 3rd-party dependencies are not violated 8 | - [ ] My app does not violate cryptography policies and laws 9 | - [ ] My app is compliant according to the organisation standards 10 | 11 | ## Accessibility 12 | 13 | - [ ] My app is accessible 14 | - [ ] Colors and contrast are color-blind friendly OR there is a possiblity to switch to high-contrast mode 15 | - [ ] My app is screenreader-friendly 16 | - [ ] My app has keyboard navigation 17 | 18 | ## Deployment 19 | 20 | - [ ] My app is served from CDN or cookie-less subdomain 21 | - [ ] My app is served with forever cache headers for static assets 22 | - [ ] My app static resources are gzipped 23 | 24 | ## Loading optimization 25 | 26 | - [ ] My app can load it's assets in parallel (css, images and scripts) 27 | - [ ] My app uses icon sprites 28 | - [ ] My app does not hit [browser HTTP requests limit per host](http://stackoverflow.com/questions/985431/max-parallel-http-connections-in-a-browser) 29 | - [ ] My app loads all well-known javascript libraries from CDN 30 | 31 | ## Versioning 32 | 33 | - [ ] My app has a cache-busting implemented (assets, object cache etc.) 34 | 35 | ## Assets 36 | 37 | - [ ] Have a 404-page 38 | - [ ] Have a [maintenance page](https://www.smashingmagazine.com/2009/06/effective-maintenance-pages-examples-and-best-practices/) 39 | - [ ] Images support HDPI screens (Retina, etc) 40 | 41 | 42 | ## Testing 43 | 44 | - [ ] My app does not have memory leaks 45 | - [ ] My app is passing performance tests with high grades 46 | - [ ] [PageSpeed](https://developers.google.com/speed/pagespeed/) 47 | - [ ] [YSlow](http://yslow.org/) 48 | - [ ] Chrome Dev Tools Audit 49 | - [ ] My app is loading in less than 3 seconds 50 | 51 | ## Debugging 52 | 53 | - [ ] Minified JavaScript files contain URL for source maps 54 | - [ ] Thrown exceptions are handled and passed to storage ([Sentry](https://sentry.io/), [Track.js](https://trackjs.com/), etc) 55 | - [ ] Error storage process sourcemaped files 56 | 57 | ## Tracking 58 | 59 | - [ ] My app gathers metrics about usage behaviour 60 | 61 | ## Security 62 | - [ ] I have audited my system against: 63 | - [ ] [OWASP Top 10](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet) Vulnerabilities 64 | - [ ] [Observatory](https://observatory.mozilla.org/) 65 | - [ ] [securityheaders.io](https://securityheaders.io/) 66 | --------------------------------------------------------------------------------