Deploying Your SaaS to Production: The Complete Checklist

Your app works on localhost. You’ve built features, written tests, maybe even got some beta users. Now it’s time to deploy to production.

This is where most indie hackers get stuck. Not because deployment is impossibly hard, but because there’s no single checklist that covers everything. Until now.

Before You Deploy

Choose Your Platform

Approach	Best For	Monthly Cost	Effort
VPS (DigitalOcean, Hetzner)	Control, cost optimization	$5-40	High
PaaS (Railway, Render)	Speed, simplicity	$10-100	Low
Containers (Fly.io, Azure)	Scale, portability	$5-50	Medium
Serverless (Vercel, Netlify)	Static + API	$0-30	Low

For most SaaS apps, a VPS with Docker gives you the best balance of cost, control, and portability.

DNS and Domain

Domain registered and DNS configured
A/AAAA records pointing to your server
CNAME for www subdomain
DNS propagation verified (use dig or whatsmydns.net)

The Deployment Checklist

Security (Do First)

SSL/TLS certificate configured (Let’s Encrypt or Cloudflare)
HTTP → HTTPS redirect enforced
Security headers set (HSTS, X-Frame-Options, CSP)
Environment variables for all secrets (never in code)
Database password is not the default
SSH key-only authentication (disable password login)
Firewall configured (only expose ports 80, 443, and SSH)
Fail2ban or equivalent for brute force protection

Application

Production environment variables set
Database migrations run successfully
Health check endpoint exists (/health or /api/health)
Error handling doesn’t expose stack traces
CORS configured correctly
Rate limiting on auth endpoints
File upload limits configured

Infrastructure

Container or process manager configured (Docker, systemd)
Auto-restart on crash
Log rotation configured
Disk space monitoring
Memory limits set (prevent OOM kills from taking down the host)

Monitoring

Uptime monitoring configured (UptimeRobot, Betterstack)
Error tracking set up (Sentry free tier)
Basic metrics dashboard (response times, error rates)
Alert notifications to your phone/email

Backups

Automated database backups (daily minimum)
Backup restoration tested (backups you haven’t tested aren’t backups)
File/media storage backed up
Backup stored offsite (not on the same server)

CI/CD

Automated tests run on every push
Build succeeds before deploy
Deploy triggered automatically on merge to main
Rollback mechanism exists (previous container image, git revert)
Health check after deploy (auto-rollback if unhealthy)

Post-Deploy Verification

After your first deploy:

Visit your domain — does it load over HTTPS?
Test the signup/login flow end-to-end
Send a test email (if your app sends email)
Process a test payment (if applicable)
Check your monitoring dashboard — any errors?
Trigger your backup and verify it completes
Run a Lighthouse audit (should score 80+ across the board)

Common Gotchas

WebSocket connections dropping: Reverse proxy timeout settings. Set proxy_read_timeout 86400 in nginx.

Emails going to spam: Set up SPF, DKIM, and DMARC records. Use a transactional email service (Postmark, Resend).

Database connection limits: Most managed databases have connection limits. Use connection pooling (PgBouncer for PostgreSQL).

Cold starts: If using serverless or scale-to-zero, the first request after idle will be slow. Implement a keep-warm ping.

Storage filling up: Log rotation and docker image cleanup. Set up a cron job: docker system prune -f weekly.

Zero-Downtime Updates

Once you’re live, you need to deploy updates without taking the site down:

Blue-green deployment: Run old and new versions simultaneously, switch traffic
Rolling update: Replace instances one at a time
Canary deployment: Send 5% of traffic to the new version, verify, then promote

For most indie hackers, a simple rolling update with a health check is sufficient.

Want ready-to-use configurations for everything on this list? The Production Deployment Kit includes Docker Compose stacks, CI/CD pipelines, monitoring setup, and security hardening scripts.