Shipping a Next.js app to production: our deployment checklist.
The checklist we run through before every production deployment. From security headers to monitoring to rollback plans.
Deploys fail for boring reasons.
Most production issues aren't caused by clever bugs. They happen because someone forgot to set an environment variable, or didn't test the auth flow on the staging URL, or skipped the security headers.
We built this checklist after shipping dozens of Next.js apps to production. Every item on it exists because we (or a client) learned the hard way. It's not exhaustive — it's practical.
We run through this before every deploy to production. It takes about 30 minutes. That's cheaper than a 3am incident.
Performance
- Bundle analyzer run — no unexpected large dependencies
- Images optimized with next/image, proper sizing and formats
- Fonts self-hosted or loaded with next/font, no FOUT
- Static pages pre-rendered where possible (SSG over SSR)
- API routes have appropriate cache headers
- Core Web Vitals passing (LCP < 2.5s, CLS < 0.1, INP < 200ms)
Security
- Security headers configured (CSP, X-Frame-Options, HSTS)
- Environment variables audited — no secrets in client bundles
- Authentication flows tested (login, logout, session expiry)
- Rate limiting on API routes and form submissions
- CORS configured correctly for API endpoints
SEO & Metadata
- Sitemap.xml generating correctly with all routes
- Robots.txt configured — staging blocked, production allowed
- OpenGraph and Twitter card metadata on all pages
- Canonical URLs set to prevent duplicate content
- Structured data (JSON-LD) validated with Google's testing tool
- 404 and error pages return correct status codes
Infrastructure
- Error tracking configured (Sentry, LogRocket, etc.)
- Uptime monitoring on critical endpoints
- Database connection pooling configured for serverless
- Rollback plan documented — can revert in under 5 minutes
- DNS and SSL certificates verified
- Environment variables set in production (not just .env.local)
Make it a habit, not a heroic effort.
The best time to check security headers is when you set up the project — not the night before launch. Most items on this list can be automated or configured once and forgotten.
We bake as much of this into our project template as possible. The checklist is there to catch what automation can't.
Need help shipping to production?
We've deployed dozens of Next.js apps. If you need someone to get your project across the finish line — or review your setup before launch — we can help.