Cursor App Production Checklist

Cursor-specific concerns: verify no localhost URLs in production code, ensure all API routes require auth, confirm environment variables are properly separated, and check that server actions validate input before database operations

Authentication protects all private routes and API endpoints. Input validation on every form and data handler. No API keys or secrets in client-side code. Security headers configured (CSP, HSTS, X-Frame-Options). CORS restricted to your domain. Rate limiting on login and signup endpoints. HTTPS enforced everywhere.

Images optimized and lazy-loaded. Code splitting implemented. Lighthouse performance score above 80. Database queries have indexes on filtered columns. Pagination on all data lists. Static assets served with cache headers. No unnecessary client-side JavaScript.

Error tracking configured (Sentry or similar). Custom error pages for 404 and 500 errors. Error boundaries catch rendering failures gracefully. Loading states on all async operations. Graceful handling of network failures. Health check endpoint for monitoring. Database backups configured.

Environment variables configured for production (no hardcoded URLs). All API routes and server actions require authentication. Input validation on all server-side data handlers. Error boundaries at route segment level. Security headers configured in next.config.ts. Database queries use parameterized statements. No sensitive keys in NEXT_PUBLIC_ variables. Rate limiting on auth endpoints. Custom 404 and error pages. Monitoring and error tracking (Sentry or similar). Image optimization with next/image. Loading states for all async operations. CORS restricted to your domain. Proper cache-control headers. SSL enforced on all routes

Our security scan ($19) and code audit ($19) check for all of these issues automatically. Upload your code and get a detailed report within 24 hours. If you need help fixing what we find, our team is here for that too.