Knowledge
Website launch checklist
#Hosting
A practical checklist of everything to verify before you put a website live — security, performance, backups, and the things that are painful to fix after launch.
Published by Mark van Eijk on June 30, 2026 · 2 minute read
- Server and access
- Domain and HTTPS
- Security
- Performance
- Reliability
- After launch
- Let Rocketeers handle it
Launching a website is the moment a dozen small details suddenly matter all at once. This checklist walks through what to verify before you flip the switch, grouped so you can work through it top to bottom. Most items link to a full guide if you need the how.
Server and access
- [ ] Server provisioned with Nginx, PHP, and a database.
- [ ] SSH hardened — key-only login, root login disabled, and ideally a non-default SSH port.
- [ ] A firewall (
ufw) allowing only the ports you actually use (80, 443, SSH). - [ ] Swap space configured so a memory spike doesn't kill processes.
Domain and HTTPS
- [ ] DNS records pointing at the server and propagated.
- [ ] A valid SSL certificate installed — via Certbot or Cloudflare.
- [ ] Automatic renewal set up so the certificate never lapses.
- [ ] HTTP redirects to HTTPS, and HSTS is enabled — aim for an A+ SSL grade.
- [ ] No mixed content (no
http://assets on anhttps://page).
Security
- [ ] Debug mode off in production — a leaked stack trace exposes paths, config, and sometimes credentials.
- [ ] Security headers set (CSP, HSTS,
X-Content-Type-Options) — verify with the validation tools. - [ ] Database user scoped to its own database, never connecting as root.
- [ ] Secrets in environment variables, not in code or version control.
- [ ] Review web application security for the full picture.
Performance
- [ ] Gzip or Brotli compression enabled.
- [ ] OPcache enabled for PHP.
- [ ] Static assets cached with sensible far-future headers.
- [ ] A reasonable time to first byte — see optimizing website performance.
Reliability
- [ ] Automated database backups running on a schedule — and test a restore.
- [ ] File backups for anything users upload.
- [ ] Uptime and error monitoring so you hear about problems before your visitors do.
- [ ] Custom error pages for 404, 500, and 502 instead of raw server defaults.
After launch
- [ ] Run the full suite of website validation tools.
- [ ] Confirm email sending works and isn't landing in spam — see email deliverability.
- [ ] Watch logs and metrics for the first day to catch anything the tests missed.
Let Rocketeers handle it
Look back over that list — a large share of it is server configuration and ongoing operations: TLS and renewal, security headers, compression, backups, monitoring, and keeping debug mode off in production. Rocketeers handles those by default when it provisions a server and deploys a site, and keeps watching afterwards, so your launch checklist is mostly green before you even start ticking boxes.
Subscribe to our newsletter
Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!