Website launch checklist - Rocketeers app [ Rocketeers ](/) [Login](https://rocketeersapp.com/login) On this page Knowledge --------- Website launch checklist ======================== ### [\#Hosting](https://rocketeersapp.com/knowledge/hosting) A practical checklist of everything to verify before you put a website live — security, performance, backups, and the things that are painful to fix after launch. Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on June 30, 2026 · 2 minute read 1. [Server and access](#content-server-and-access) 2. [Domain and HTTPS](#content-domain-and-https) 3. [Security](#content-security) 4. [Performance](#content-performance) 5. [Reliability](#content-reliability) 6. [After launch](#content-after-launch) 7. [Let Rocketeers handle it](#content-let-rocketeers-handle-it) Launching a website is the moment a dozen small details suddenly matter all at once. This checklist walks through what to verify before you flip the switch, grouped so you can work through it top to bottom. Most items link to a full guide if you need the how. [\#](#content-server-and-access "Permalink")Server and access ------------------------------------------------------------- - \[ \] Server provisioned with [Nginx](/how-to-install-nginx), [PHP](/how-to-install-php), and a [database](/how-to-install-mysql). - \[ \] SSH hardened — key-only login, root login disabled, and ideally a [non-default SSH port](/change-ssh-port-ubuntu). - \[ \] A firewall (`ufw`) allowing only the ports you actually use (80, 443, SSH). - \[ \] [Swap space configured](/add-swap-space-on-ubuntu) so a memory spike doesn't kill processes. [\#](#content-domain-and-https "Permalink")Domain and HTTPS ----------------------------------------------------------- - \[ \] DNS records pointing at the server and propagated. - \[ \] A valid SSL certificate installed — via [Certbot](/how-to-install-certbot) or [Cloudflare](/what-is-cloudflare). - \[ \] [Automatic renewal](/renew-ssl-certificates-automatically) set up so the certificate never lapses. - \[ \] HTTP redirects to HTTPS, and HSTS is enabled — aim for an [A+ SSL grade](/a-plus-grade-ssl-using-cloudflare). - \[ \] No mixed content (no `http://` assets on an `https://` page). [\#](#content-security "Permalink")Security ------------------------------------------- - \[ \] Debug mode **off** in production — a leaked stack trace exposes paths, config, and sometimes credentials. - \[ \] Security headers set (CSP, HSTS, `X-Content-Type-Options`) — verify with the [validation tools](/tools-to-validate-website). - \[ \] Database user scoped to its own database, never connecting as root. - \[ \] Secrets in [environment variables](/environment-variables-laravel), not in code or version control. - \[ \] Review [web application security](/optimize-web-application-security) for the full picture. [\#](#content-performance "Permalink")Performance ------------------------------------------------- - \[ \] [Gzip or Brotli compression](/enable-gzip-compression-nginx) enabled. - \[ \] [OPcache enabled](/enable-opcache-php) for PHP. - \[ \] Static assets cached with sensible far-future headers. - \[ \] A reasonable [time to first byte](/ttfb) — see [optimizing website performance](/optimize-website-performance). [\#](#content-reliability "Permalink")Reliability ------------------------------------------------- - \[ \] Automated [database backups](/backup-mysql-databases-single-file) running on a schedule — and test a restore. - \[ \] File backups for anything users upload. - \[ \] Uptime and error monitoring so you hear about problems before your visitors do. - \[ \] Custom error pages for [404, 500](/500-internal-server-error-laravel), and [502](/502-bad-gateway-nginx) instead of raw server defaults. [\#](#content-after-launch "Permalink")After launch --------------------------------------------------- - \[ \] Run the full suite of [website validation tools](/tools-to-validate-website). - \[ \] Confirm email sending works and isn't landing in spam — see [email deliverability](/improving-email-deliverability). - \[ \] Watch logs and metrics for the first day to catch anything the tests missed. [\#](#content-let-rocketeers-handle-it "Permalink")Let Rocketeers handle it --------------------------------------------------------------------------- Look back over that list — a large share of it is server configuration and ongoing operations: TLS and renewal, security headers, compression, backups, monitoring, and keeping debug mode off in production. Rocketeers handles those by default when it provisions a server and deploys a site, and keeps watching afterwards, so your launch checklist is mostly green before you even start ticking boxes. ### Subscribe to our newsletter Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now! Fill in your email address to receive updates Subscribe #### More in [\#Hosting](https://rocketeersapp.com/knowledge/hosting) - [How to get top processes with highest memory usage](https://rocketeersapp.com/knowledge/top-processes-memory) - [How to get top processes with highest CPU usage](https://rocketeersapp.com/knowledge/top-processes-cpu) - [How to add Swap Space on Ubuntu servers](https://rocketeersapp.com/knowledge/add-swap-space-on-ubuntu) - [Disable unnecessary and unused PHP versions (FPM pools)](https://rocketeersapp.com/knowledge/disable-unused-php-fpm-pools) - [Reclaim disk space on Ubuntu server](https://rocketeersapp.com/knowledge/reclaim-diskspace-on-ubuntu) - [How to check Ubuntu version](https://rocketeersapp.com/knowledge/ubuntu-version) [View all 16 articles →](https://rocketeersapp.com/knowledge/hosting)