Launch Checklist

Before you ship, run through every item. 20 checks across 4 categories. Miss one, and your launch could stumble. This is the final lesson — everything you have learned converges into one pre-flight check.

Why a Checklist Matters

Pilots do not skip their pre-flight checklist, no matter how many times they have flown. The same principle applies to shipping software. A single missed environment variable can cause a blank page. A leaked secret key can compromise your database. The checklist is not bureaucracy — it is insurance.

Before you start

This checklist assumes you have completed the previous 9 lessons. Each item connects back to skills you have already learned. If anything feels unfamiliar, revisit the lesson where it was covered.

Jargon cheat sheet:

RLS (Row Level Security) — database rules that control who can read/write each row. Like a bouncer for your data.
CORS (Cross-Origin Resource Sharing) — browser security that controls which websites can call your API.
Tree-shaking — automatically removing unused code from your final bundle, so users download less JavaScript.
Cache-Control — an HTTP header that tells browsers how long to keep a file before re-downloading it.
Indexes — a database optimization (like a book's index) that makes lookups fast instead of scanning every row.

Category 1: Security (5 Items)

Security checks come first because they are the hardest to fix after launch. A security incident on day one can kill trust permanently.

No secrets in frontend code

Grep your src/ directory for NEXT_PUBLIC_.*SERVICE_ROLE and NEXT_PUBLIC_.*SECRET. Zero matches = pass. Any match = stop everything and fix it.

RLS enabled on every table

Check the Supabase dashboard: Database → Tables. Every table should show a lock icon. Run supabase db lint --level warning to catch RLS gaps.

Stripe webhook signatures verified

Your webhook handler must call stripe.webhooks.constructEvent() before processing. Without it, anyone can fake payment events.

CORS configured on edge functions

Only your domain should be allowed to call your API. Set Access-Control-Allow-Origin to your production domain, not *.

No secrets in git history

Search your git history: git log -p | grep -i "sk_live\|whsec_\|service_role". If found: revoke the key immediately, generate a new one, force-push a cleaned history.

Category 2: Performance (5 Items)

Performance is user experience. A 3-second load time loses 53% of mobile visitors. These checks keep your app fast.

Bundle size under 100KB first load

Run next build and check "First Load JS." Over 100KB means unused libraries are bloating your bundle. Check imports — are you importing entire libraries when you only need one function?

Images optimized

Use Next.js <Image> component for automatic WebP conversion and lazy loading. No raw <img> tags for large images.

Database indexes on queried columns

Every column in a WHERE clause or ORDER BY should have an index. Without one, Postgres scans every row — fine for 100 rows, catastrophic for 100K.

Cache-Control headers set

Static assets (CSS, JS, images) should have long cache times. API responses should not be cached unless intentional. Check with curl -I your-url.

Edge function cold starts acceptable

First request after idle may take 1-3 seconds (cold start). Test your edge functions after a 5-minute idle. If cold starts are too slow, consider warming them with a scheduled ping.

Category 3: User Experience (5 Items)

Users do not read error logs. They see blank pages and leave. These checks ensure your app handles failures gracefully.

Error states handled

What does the user see when the API is down? When payment fails? When they submit an empty form? Every error should show a helpful message, not a blank page or raw error.

Mobile responsive

Test on a real phone or Chrome DevTools mobile mode. Check: text readable without zooming, buttons large enough to tap, forms usable on small screens.

Payment cancel URL configured

When a user cancels on Stripe, where do they land? Set cancel_url in your checkout session to a helpful page — not the homepage with no context.

Loading states present

Every button that triggers an API call should show a spinner or "Loading..." state. Prevents double-clicks, double-payments, and confused users.

Success confirmation clear

After subscribing: show a confirmation message. After paying: redirect to a success page with next steps. Users should never wonder "did that work?"

🔒

This lesson is for Pro members

Unlock all 520+ lessons across 52 courses with Academy Pro.

Go Pro — $49/mo ← Back to course

Already a member? Sign in to access your lessons.