Vinta's Playbook

Plans and practices

contact us

Launch

Before launching to production, assert following steps are guaranteed.

Frontend Checklist

Django Checklist

  • Run python manage.py check --deploy in production
  • Anonymize the URLs for Admin, Celery Flower, etc.
  • Check redirections, especially if it's a new platform replacing an old one.
  • Set upload_to argument for all FileField and ImageField.
  • Check environment variables are being used, not hardcoded settings.
  • Properly set ALLOWED_HOSTS.
  • Guarantee DEBUG = False.
  • Change SECRET_KEY.
  • Set APPEND_SLASH = True.
  • Set CSRF_COOKIE_SECURE = True.
  • Set SESSION_COOKIE_SECURE = True.
  • Check SECURE_PROXY_SSL_HEADER. See documentation.
  • Set SECURE_SSL_REDIRECT = True.
  • Check XFrameOptionsMiddleware is being used. See documentation.
  • Set HTTP Strict Transport Security. See documentation.
  • Set SECURE_CONTENT_TYPE_NOSNIFF = True.
  • Set SECURE_BROWSER_XSS_FILTER = True.
  • If using subdomains, set SESSION_COOKIE_DOMAIN. See documentation.
  • Consider ATOMIC_REQUESTS for DB integrity. See documentation.
  • Check DEFAULT_FROM_EMAIL is set to a friendly replyable email.
  • Set and test ADMINS for 500 errors emails.
  • Set and test MANAGERS for 404 errors emails.
  • Check email templates are correct.
  • Save metadata of every email sent, use Anymail signals.
  • Check CORS settings, use django-cors-headers.

Third-party Checklist

  • Add all accesses of third-party tools to LastPass.
  • Add development env to LastPass.
  • Configure Papertrail, or other logging service.
  • Configure Sentry for backend, including Celery.
  • Configure Sentry for frontend.
  • Configure Mailgun, or other transactional email service.
  • Configure Cloudflare cache for frontend assets.
  • Configure Uptime Robot.
  • Setup Google Tag Manager container ID.
  • Update OAuth callback/deauthorize URLs in all third-party services.
  • Rotate OAuth keys of all third-party services.
  • Change passwords of all third-party services.
  • Check buckets/blob storages of AWS/Azure are private.
  • Check the SaaS CTO Security Checklist.

Server Checklist

  • Check latest Heroku stack is being used.
  • Check latest server OS version is being used.
  • Check latest server Python version is being used.
  • Set a Heroku "Standard" database or higher.
  • Configure database backup generation scripts.
  • Configure full disk backups for the database server. Make sure it's stored in another resource group (not production), it's locked against deletion it's and easy and fast to restore it.
  • Tune PostgreSQL settings.
  • Configure SSL for everything.
  • Configure SSL certificates autorenewal.
  • Test SSL health.
  • Configure Redis maxmemory and eviction policy (likely noeviction).
  • Configure RabbitMQ.
  • Configure application firewall for application servers.
  • Guarantee Celery and other services aren't running as sudo.
  • Limit file size for uploads.
  • Validate uploads media types. See here.
  • Configure throttling.

DNS Checklist

  • Check records.
  • Check TTL. Set low when launching, set high after everything is fine.
  • Move API to a different subdomain (api.example.org, for example). This allows a different server for the frontend.
  • Enforce or remove www subdomain (and set PREPEND_WWW in Django if necessary).
Back to the Playbook

We’d love to work with you.

We've worked with a rich variety of clients. Building from simple to complex architectures. Each one with its own problems and challenges.

Let's Build Something Together

Do you need more information about Vinta?

Please contact us at: contact@vinta.com.br and follow us on Twitter.

This work is licensed under a Creative Commons License.Creative Commons License