Production Readiness Checklist for AI-Built Apps

AI coding tools build functional prototypes fast, but prototypes aren't production-ready. They skip security hardening, performance optimization, error handling, and operational concerns. This checklist covers everything between 'it works on my machine' and 'it's ready for real users.'

Authentication on all private routes and API endpoints. Server-side input validation on every form and data handler. No API keys or secrets in client-side code or Git history. Security headers configured (CSP, HSTS, X-Frame-Options). CORS restricted to your domain. Rate limiting on login and signup endpoints. HTTPS enforced everywhere. Database access scoped per user (no one can see another user's data).

Lighthouse performance score above 80. Images optimized and lazy-loaded. Code splitting implemented for route-based loading. Database queries have indexes on columns you filter or sort by. Pagination on all data-heavy views. Static assets served with cache headers. No unnecessary client-side JavaScript — use server components where possible.

Error tracking configured (Sentry or similar). Custom error pages (404, 500). Error boundaries catch rendering failures gracefully. Loading states on all async operations. Graceful handling of network failures. Health check endpoint for uptime monitoring. Database backups configured and tested.

Environment variables configured on hosting platform. Production build tested locally before deploying. Custom domain with SSL configured. CI/CD pipeline runs tests before deployment. Monitoring and alerting for errors and downtime. DNS properly configured. Redirect from www to non-www (or vice versa).

Test the complete signup-to-core-action flow as a new user. Test on mobile devices. Test with slow network connections. Review all user-facing copy for accuracy. Set up analytics (privacy-respecting options: Plausible, Fathom, or PostHog). Prepare a rollback plan in case something goes wrong after launch.