00
_
INITIALISING0%
KNOWLEDGE_BASE
ChecklistENGINEERING

Pre-Launch SaaS Checklist: 47 Things to Verify Before Going Live

The exact checklist our team runs on every SaaS product before going live — security, performance, billing, and observability.

6 min readMarch 15, 2026

Security (Run This First)

Security issues found post-launch are 10x more expensive to fix. These are the non-negotiables.

  • All environment variables are in .env.local, never committed to git
  • API routes validate user session/token before any data access
  • User input is sanitized server-side — never trust the client
  • Rate limiting is active on auth endpoints (max 10 attempts / 15 min)
  • HTTPS enforced everywhere, HSTS header set
  • Content Security Policy header configured
  • Dependency audit: npm audit shows zero high/critical vulnerabilities
  • Stripe webhook signature verification is implemented
  • Password reset tokens expire within 1 hour
  • Admin routes are protected by role check, not just auth check

Performance

A slow app is a leaky bucket. Fix performance before you pay for acquisition.

  • Lighthouse score ≥90 on mobile for the landing page
  • Largest Contentful Paint <2.5s on a simulated 4G connection
  • All images use next/image with explicit width/height
  • Fonts are preloaded, no layout shift from font swap
  • Database queries have indexes on every foreign key and filter column
  • No N+1 query patterns in list views
  • Edge caching configured for public pages
  • Bundle size analyzed — no unnecessary dependencies

Billing & Subscriptions

Broken billing is the fastest way to lose a customer's trust.

  • Stripe test mode fully exercised: upgrade, downgrade, cancel, reactivate
  • Webhook handler idempotent — replayed events don't double-bill
  • Failed payment recovery flow tested (dunning emails configured)
  • Trial expiry correctly restricts feature access
  • Invoice PDF is readable and legally compliant for your jurisdiction
  • Refund flow tested end-to-end

Observability & Alerting

You cannot fix what you cannot see. Set up monitoring before launch, not after the first outage.

  • Error tracking (Sentry or similar) capturing unhandled exceptions
  • Uptime monitor alerts within 2 minutes of downtime
  • Database connection pool metrics visible
  • Alert configured for error rate spike (>2% of requests in 5 min)
  • Structured logging in place for all server actions

SEO & Meta

Get these right once and benefit permanently.

  • Unique <title> and <meta description> on every public page
  • Open Graph image set for social sharing
  • Canonical URL set on every page
  • robots.txt present and not blocking important pages
  • XML sitemap generated and submitted to Google Search Console
  • Structured data (JSON-LD) on landing page

[ READY TO BUILD? ]

Let's Turn This Into
Your Competitive Edge.

START A PROJECT

[ RELATED_RESOURCES ]

GuideENGINEERING

The 2026 Guide to Choosing a Tech Stack for Your Startup

12 min read