32 things to do before deploying to production

Following the recent trend of “10 Things You Need To…” articles I decided to write my own list of things that you need to do. Nah. I have just built the list based on my experience and mistakes that I do not want to repeat. This is my checklist for future production deployments.

Production deployment checklist

Considering that each point of the list might be a good topic for a separate article I described each of them really briefly. For some of them I give an example of software that I recommend (there may be better alternatives).

Deployment automation

  • Staging environment Set up a staging environment which should look the same as production. Automate your deployment and upgrade process. Consider the usage of packages (sbt-native-packager), configuration management tools (chef, ansible) and containers (docker).
  • Continuous Integration Make your CI (jenkins, bamboo) able to build, test and deploy newest version of the application to the staging environment.


  • Collect and display metrics Collect usage of CPU, memory, disk, network from all hosts (collectd). Collect number of requests per seconds and response times of services (metrics). Store data in a central point (graphite). Display metrics as graphs (grafana).
  • Collect and manage logs Collect, store and analyze logs. It will help you in finding and resolving problems faster. (splunk, logstash)
  • Configure alerts Configure monitoring system to send an email to support in case of a system outage (grafana-alerts).


  • Real-life simulations Prepare testing scenarios which simulate real traffic (gatling). Run tests all the time (even during upgrades) to make sure that system behaves properly. Monitoring helps a lot during that step.
  • Smoke tests Prepare smoke tests (sanity tests) to verify basic functionality of the system which can be run even on a production environment. It can be used to be notified as soon as possible in case something goes wrong on production.


  • Memory leaks You have an environment, monitoring, and tests. Run them for several hours and check if the memory usage is not increasing during constant load. There are also tools that might help like plumbr.
  • Blocking threads When running tests, check if there are no unexpected blocking of threads. Tools like visualvm or yourkit help a lot.
  • Keep alive HTTP connections When using an HTTP client, make sure it is using a pool of keep-alive connections.
  • Confidential data in logs Ensure there are not passwords and other confidential data in the logs.
  • Graceful shutdown On shutdown application should stop accepting new requests and finish the already processing ones.
  • Backpressure If you app is doing some asynchronous work, it might get into a state when is overloaded and not able to handle more tasks. Think about a backpressure mechanism to avoid that.
  • Input validation Ensure proper validation and filtering of incoming data. Prevent SQL injection.
  • Audit logs Log every user action as audit logs.


  • Database indexes Make sure that all required indexes are set. The application probably should not do full table scan queries at all. Disable full table scan queries in database and run tests to verify that.
  • Memory settings Adjust memory settings of services according to host capacity.
  • OS hardening Adjust operating system settings to increase the performance. My two most common tweaks are to increase the maximum number of open file descriptors (ulimit -n) and allow reusing sockets (by enabling tcp_tw_reuse).
  • Log rotation Avoid full disk by enabling log rotation (logback). Backup archived logs if necessary.
  • Startup script Prepare start/stop/restart scripts for the application (upstart). It might be useful if the start script waits and checks if the application did actually start properly.
  • Backups, updates, and reverts Schedule backups, test update process and prepare disaster recovery plan.


  • Tests on different browsers, smartphones, and tablets For that use a smart tool like browserstack.
  • Input field validation Test if input fields have proper validation attached.
  • HttpOnly cookie HttpOnly cookie cannot be accessed from javascript and prevents XSS attacks.
  • CSRF protection Use CSRF tokens to protect users from executing unwanted actions (csrf).
  • Minification Reduce the size of js, html and css files and improve the performance using minifiers.


  • Configure access to hosts Make sure only authorized people can access hosts.
  • Expose only required ports Make only ports for public endpoints open. Bind other services to localhost.
  • HTTPs for public endpoints Use HTTPs and signed SSL certificate on public endpoints.
  • Brute force and DDoS protection Think about brute force and DDoS protection before it is too late.
  • Strong hashing algorithm for passwords Make sure you are not using a weak hashing algorithm for passwords.


  • Prepare/update documentation Remember to finish the documentation before final deployment. For APIs use tools like swagger.


This list for sure is not exhaustive. For each type of application, there are different things that can be easily forgotten. But I think that nowadays most of these things are common for JVM/REST application and can be used for a quick basic check.

comments powered by Disqus