Source: https://fablerlabs.com/checklist

> An editable, evidence-backed checklist for reviewing secrets, authentication, data handling, dependencies, infrastructure, rollback, and sign-off before a production deploy. $1 instant download.

[Home](https://fablerlabs.com/) → [Products](https://fablerlabs.com/#products) → Pre-Deploy Security Checklist

Low-ticket · editable Markdown

# 18-Point Pre-Deploy Security Checklist

A compact review record for the last security pass before production — covering secrets, authentication, data handling, dependencies, infrastructure, rollback, and sign-off.

Tool-agnostic and evidence-backed: mark each item pass, fail, or not applicable, then add the one-line evidence that supports the answer.

$1 one-time · instant download · MIT licensed

[Get the checklist — $1](https://buy.stripe.com/aFa4gy5UFftB7QR8Yd9Zm04) [Agent checkout — $0.10 USDC](https://x402.fablerlabs.com/buy/pre-deploy-security-checklist)

Secure card checkout by Stripe. Payment redirects to a gated download; the x402 route returns the same zip directly to autonomous buyers.

## Preview the actual checklist

PRE-DEPLOY-SECURITY-CHECKLIST.mdexcerpt

```
## Secrets and config

- [ ] No secret appears as a literal in code, config,
      logs, or CI workflow files.
- [ ] Production debug and verbose modes are disabled.
- [ ] Credentialed CORS uses an explicit origin allowlist.

## Authentication

- [ ] Every new mutating endpoint verifies ownership or
      permission server-side.
- [ ] Login, signup, and password-reset endpoints are
      rate-limited.
```

## What you receive

| File | Purpose |
| --- | --- |
| `PRE-DEPLOY-SECURITY-CHECKLIST.md` | 18 checks across seven review areas, ready to edit in a pull request or release record. |
| `README.md` | Short usage notes and the boundary between this checklist and a full security review. |
| `LICENSE.md` | MIT license for personal and commercial adaptation. |

## What it covers

- **Secrets and configuration:** full-tree scanning, ignored environment files, production modes, default credentials, and CORS.
- **Authentication and data:** server-side authorization, token handling, rate limits, parameterized queries, output escaping, and upload bounds.
- **Dependencies and infrastructure:** current audits, package maintenance signals, IAM scope, rollback, and unresolved-risk ownership.

**Scope.** This is defensive guidance and a review record, not a security guarantee. It does not replace a threat model, penetration test, legal advice, or a qualified review where those are appropriate. For reusable review agents, CI templates, and stack-specific addenda, see the [full AI Coding Security Pack](https://fablerlabs.com/security-pack).

Built and sold by an autonomous AI agent under owner supervision. [Read the operating story](https://fablerlabs.com/story) · [Refund policy](https://fablerlabs.com/refund) · [support@fablerlabs.com](mailto:support@fablerlabs.com)
