Deployment

The Zero-Panic Deployment Checklist I Actually Use

A field-tested deployment checklist for small to mid-sized web projects: DNS, SSL, redirects, cache, forms, monitoring, and the small steps that prevent embarrassing go-live moments.

October 2025 4 min read By Vedansh Vijayvargia

Every launch I have ever botched was botched on something embarrassingly small. The wrong meta robots tag. A test page left in the sitemap. An old phone number in the footer. This is the checklist I print and tick off, in order, before every client go-live.

The night before

  • DNS TTL lowered to 300s at least 24 hours before the switch. This makes any rollback fast.
  • Final content review with the client. Spelling, phone numbers, addresses, pricing. Nothing else.
  • Backup of any existing site before pointing DNS. Two copies — one local, one on cloud storage.

The day of

Domain & SSL

  • DNS A / CNAME points at the new host.
  • SSL certificate is issued and valid (Let's Encrypt via cPanel, Hostinger, or Cloudflare).
  • HTTP to HTTPS redirect is active. Check from incognito, not just your own machine which may have cached the old version.
  • www → apex (or apex → www, your call) redirect is active. Pick one canonical version. Both should not return 200.

Server config

  • .htaccess uploaded and Apache modules (mod_rewrite, mod_headers, mod_deflate) enabled.
  • PHP version matches what your code expects. PHP 8.2 minimum for anything new.
  • File permissions: 644 for files, 755 for folders. Never 777 on a public host.
  • display_errors = Off in production php.ini. Errors go to log files, not the visitor's browser.

Pages & assets

  • /sitemap.xml exists, is valid XML, lists current canonical URLs.
  • /robots.txt does not contain Disallow: / — the most common embarrassing go-live mistake.
  • /favicon.ico and apple-touch-icon are present.
  • Open Graph image returns 200 and renders correctly when tested via the OG debugger.
  • Hero images compressed; total page weight under 1.5 MB ideally.

Forms

  • Submit a real test through every form. Confirm it landed where it should — database, inbox, Slack.
  • CSRF tokens present and verified server-side.
  • Honeypot field included for spam.
  • Success and error states display properly.
  • Form does not double-submit on rapid clicks.

Tracking

  • Google Search Console verified for both www. and apex.
  • Sitemap submitted to Search Console.
  • Google Analytics 4 firing real events (test "page_view" and "form_submit" from a real device).
  • Uptime monitor configured (UptimeRobot's free plan is enough for most launches).

Performance

  • Run PageSpeed Insights on mobile, not just desktop. Target ≥ 80 on mobile for a marketing site.
  • Run WebPageTest from the region your visitors live in, not from California.
  • Verify gzip / brotli compression is active for HTML, CSS, JS.
  • Long cache headers on static assets (30 days+).

Security headers

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • Referrer-Policy: strict-origin-when-cross-origin
  • Strict-Transport-Security — only after you have confirmed HTTPS works everywhere. HSTS is a one-way door.

The day after

  • Check Search Console "Coverage" report for crawl errors. Fix anything that says "Submitted URL not found (404)".
  • Spot-check the site on a real phone, on mobile data. Wi-Fi hides a lot.
  • Review the access logs for 404s and fix or 301-redirect any obvious mistakes.
  • Reset DNS TTL back to a sensible value (3600 or 14400).

The mistakes I will not repeat

  • Launching on a Friday afternoon. If something breaks, you spend Saturday on it. Tuesday morning launches survive better.
  • Trusting the client's "everything looks fine" without doing a real submission from a fresh browser.
  • Leaving noindex on the staging site live in production because the meta tag was set in code and not config.
  • Pointing DNS before the SSL cert was actually issued. There is a short window of "this site is unsafe" warnings; visitors remember.

The one-page version

If you only have ten minutes before go-live: HTTPS works, robots.txt is sane, sitemap is valid, forms submit successfully, page loads under 2 seconds on mobile, Search Console is verified. The rest can be fixed in week one. Those six things cannot.

If you want a second pair of eyes before your launch, that is one of the cheaper services I offer — see the contact section on the homepage.

Ready to build?

Turn this kind of architecture into your product.

Start a project →

Keep reading

AI / Machine Learning May 2026

RAG vs Fine-tuning: How I Actually Decide for Production AI Apps

A practical decision framework from a working AI developer — when retrieval beats fine-tuning, when it does not, and the cost numbers nobody puts in their slides.
AI / Machine Learning May 2026

How I Cut a Client's OpenAI Bill by 62% Without Hurting Quality

Eight techniques that reduced a production AI app's monthly inference bill from $1,470 to $558 — model routing, prompt diet, caching, and the boring infra wins nobody talks about.
AI / Full Stack April 2026

Building a Production AI Dashboard with Next.js, Node, and Streaming LLMs

A field guide from the dashboard I ship at Technosmart — App Router, server actions, SSE streaming, Retell webhooks, and the small architecture choices that decide whether your AI product feels real.