Skip to content
secondstage.help
Back to blog

MVP to Production: The Complete Checklist

MVP to Production: The Complete Checklist

You built your MVP. It works. Users are interested. Now you need to make it production-ready — and you're not sure what that actually means.

This checklist is what we use at Second Stage when we audit AI-built MVPs for non-tech founders. It's the same framework whether your app was built with Bolt.new, Lovable, Cursor, or a freelancer. Print it out, work through it section by section, and you'll launch with confidence.

Security Checklist

Security isn't optional. A single vulnerability can destroy user trust overnight.

  • No secrets in source code — API keys, database passwords, and tokens live in environment variables or a secrets manager, never in git
  • Environment variables separated — different .env files for development, staging, and production; never share credentials across environments
  • Input validation on every endpoint — validate and sanitize all user inputs server-side, regardless of client-side validation
  • Authentication implemented correctly — use established libraries (NextAuth, Clerk, Auth0), not hand-rolled JWT logic
  • Authorization on every route — authenticated doesn't mean authorized; check user roles before returning data
  • Rate limiting on API endpoints — prevent brute force attacks and API abuse; at minimum on auth endpoints
  • CORS configured properly — only allow origins you control, not *
  • HTTPS everywhere — no mixed content, HSTS headers enabled
  • SQL injection prevention — use parameterized queries or an ORM, never string concatenation
  • XSS prevention — escape user-generated content, use Content Security Policy headers
  • Dependency audit — run npm audit or equivalent; fix critical vulnerabilities before launch
  • File upload validation — if users can upload files, validate type, size, and scan for malware

Performance Checklist

Slow apps lose users. Every 100ms of latency costs you conversions.

  • Database queries optimized — no N+1 queries, proper indexes on frequently queried columns
  • Connection pooling configured — don't open a new database connection per request
  • Caching strategy in place — static assets cached at CDN level, API responses cached where appropriate
  • Images optimized — use WebP/AVIF, proper sizing, lazy loading for below-fold images
  • Bundle size audited — tree-shake unused dependencies, code-split routes
  • Server-side rendering for public pages — SPAs are fine for authenticated dashboards, not for landing pages
  • CDN configured — static assets served from edge locations, not your origin server
  • Compression enabled — gzip or brotli on all text responses
  • Database connection limits set — know your connection pool size and max concurrent connections
  • Background jobs for heavy operations — don't process CSV imports or send emails in the request cycle

SEO Checklist

If users can't find you, nothing else matters.

  • Unique title and meta description on every page
  • Open Graph and Twitter Card tags — your links should look good when shared
  • Canonical URLs set — prevent duplicate content issues
  • Sitemap.xml generated and submitted to Google Search Console
  • robots.txt configured — allow crawling of public pages, block admin/API routes
  • Structured data (Schema.org) — help search engines understand your content
  • Core Web Vitals passing — LCP under 2.5s, CLS under 0.1, INP under 200ms
  • Mobile responsive — test on actual devices, not just browser dev tools
  • 404 page implemented — a custom 404 is better than a blank screen
  • Redirects for changed URLs — don't break existing links

Monitoring and Alerting Checklist

You need to know about problems before your users do.

  • Uptime monitoring active — external service checking your app every 1-5 minutes
  • Error tracking configured — Sentry, LogRocket, or equivalent catching unhandled exceptions
  • Health check endpoint — a simple /health route that verifies database connectivity
  • Alerting configured — email/Slack/PagerDuty notifications for downtime and error spikes
  • Structured logging — JSON logs with request IDs, timestamps, and severity levels
  • Performance monitoring — track response times, throughput, and error rates over time
  • Log retention policy — know how long logs are kept and where they're stored
  • Dashboard for key metrics — you should be able to see app health at a glance

Backup and Recovery Checklist

Hope for the best, prepare for the worst.

  • Automated database backups — daily at minimum, stored offsite
  • Backup restoration tested — a backup you've never restored is not a backup
  • Deployment rollback plan — know how to revert to the previous version in under 5 minutes
  • Data export capability — users should be able to export their data (also a GDPR requirement)
  • Disaster recovery documented — what happens if your server dies? Can you rebuild in hours, not days?
  • File/media backup strategy — if users upload files, those need backup too

Infrastructure Checklist

Your code is only as reliable as what it runs on.

  • Server resources adequate — enough CPU, RAM, and disk for your expected load plus 2x headroom
  • Auto-scaling configured (if applicable) — handle traffic spikes without manual intervention
  • SSL certificate auto-renewal — Let's Encrypt or managed certificates that won't silently expire
  • Firewall rules configured — only necessary ports open
  • DNS configured with reasonable TTL — not too long (hard to change), not too short (extra lookups)
  • Process manager running — PM2, systemd, or container orchestration to restart crashed processes
  • Zero-downtime deployments — users shouldn't see errors during deploys

Legal and Compliance Checklist

Don't get sued.

  • Privacy policy published — required by law in EU (GDPR) and most jurisdictions
  • Cookie consent implemented — if you use analytics or tracking cookies
  • Terms of service published — especially if handling payments or user data
  • GDPR compliance — data deletion requests, data export, consent management
  • Payment processing secured — use Stripe/Paddle, never store card data yourself

Pre-Launch Final Checks

The last mile before you flip the switch.

  • Load test completed — simulate expected traffic and verify the app holds up
  • Cross-browser testing — Chrome, Firefox, Safari, Edge at minimum
  • Email delivery tested — transactional emails actually arrive (check spam folders)
  • Error pages tested — trigger 404, 500 errors and verify they display correctly
  • Analytics installed — you need data from day one to make decisions
  • Domain and DNS verified — the production domain resolves correctly with SSL

How to Use This Checklist

Don't try to do everything at once. Prioritize by risk:

  1. Security — fix these first, non-negotiable
  2. Monitoring — you need visibility before you can fix anything else
  3. Performance — directly impacts user experience and conversion
  4. Backup — insurance policy; do it before you have data you can't afford to lose
  5. SEO — important but can be improved iteratively post-launch

Not every item applies to every app. A B2B dashboard doesn't need SEO. A content site doesn't need complex authorization. Use judgment.

Need Help?

This checklist covers what needs to be done. If you need help with the how — or just want a second pair of eyes — book a free Quick Audit. We'll review your MVP against this checklist and give you a prioritized action plan.

You can also read our guide on why vibe coding isn't enough for production or our deep dive into security holes in AI-built apps.

Liked this article? Get our free MVP checklist

Back to blog