Skip to main content

Production Checklist

Backend

  • DATABASE_URL is set as a Cloudflare secret
  • ADMIN_API_KEY is set as a Cloudflare secret
  • Queue producer and consumer bindings are configured
  • Cron trigger is configured for retention cleanup
  • rate_limit_counters table exists
  • Retention cleanup dry-run works
  • Event rate limit test fails on attempt 61 with the default config
  • Endpoint create rate limit test fails on attempt 31 with the default config

Security

  • SSRF protection rejects localhost, private IPs, metadata hosts, embedded credentials, and non-HTTP protocols
  • Payload size limit is enforced
  • Fan-out limit is enforced
  • Endpoint quota is enforced
  • Signed webhooks are enabled
  • Secret rotation overlap works
  • API keys are never exposed in browser code

Documentation

  • Quickstart works from a clean tenant
  • Signature verification examples are correct
  • Error handling page includes common failures
  • PowerShell quickstart is up to date
  • API reference matches deployed routes