Create.xyz App Production Checklist

Create.xyz apps need authentication enforced on the backend and MongoDB queries secured — the generated frontend auth is often the only gate, which is insufficient

Authentication protects all private routes and API endpoints. Input validation on every form and data handler. No API keys or secrets in client-side code. Security headers configured (CSP, HSTS, X-Frame-Options). CORS restricted to your domain. Rate limiting on login and signup endpoints. HTTPS enforced everywhere.

Images optimized and lazy-loaded. Code splitting implemented. Lighthouse performance score above 80. Database queries have indexes on filtered columns. Pagination on all data lists. Static assets served with cache headers. No unnecessary client-side JavaScript.

Error tracking configured (Sentry or similar). Custom error pages for 404 and 500 errors. Error boundaries catch rendering failures gracefully. Loading states on all async operations. Graceful handling of network failures. Health check endpoint for monitoring. Database backups configured.

Authentication middleware applied to all protected API routes. MongoDB connection string only on backend, never frontend. NoSQL injection prevention via input sanitization. User data queries scoped to authenticated user's ID. MongoDB indexes on commonly queried fields. Pagination on all collection-returning endpoints. Rate limiting on auth and public endpoints. HTTPS enforced in production. Error responses safe for public consumption. Frontend handles API errors with user-visible feedback. File upload size limits enforced. CORS restricted to your frontend domain. Environment variables configured in deployment platform. Tests covering auth boundaries. Monitoring configured for API errors

Our security scan ($19) and code audit ($19) check for all of these issues automatically. Upload your code and get a detailed report within 24 hours. If you need help fixing what we find, our team is here for that too.