KB Pre-launch Launch checklist

Launch checklist draft

The go-live gate. Walk this before any DNS cutover — nothing ships until every box is checked.

Use this when

A site is feature-complete and you're preparing to point a production domain at it.

Definition of done

Every item below is verified on the production domain, not just staging. Sign off with the date and who checked.

Transport & domain

  1. SSL certificate active and HTTPS enforced. → SSL / domain / DNS cutover
  2. HSTS enabled (with a considered max-age before adding preload).
  3. http:// and www/apex variants redirect to the canonical HTTPS host.

Security

  1. Strict CSP set and enforced (not Report-Only). → Security baseline
  2. 2FA enabled on the CMS/host account; login attempts limited.
  3. Spam defenses on every form — CAPTCHA + honeypot. → Forms & data handling
  4. No untrusted input reaches unsafe DOM sinks; author HTML is sanitized.

Data & operations

  1. Automatic backups confirmed (host-level or scheduled).
  2. Payment flows use a PCI-DSS-compliant gateway (Stripe/PayPal).
  3. Monitoring/uptime alerting wired. → Monitoring & backups

Gotchas

Verify on the production domain after cutover — SSL, redirects, and CSP behave differently than on staging/preview hosts.

Why & sources

Composed from Webflow's website-security checklist and the platform research: Web security for client sites.