Production Hardening Checklist

AI gets your application running. This checklist gets it running safely. Every item here has been found missing in production AI-generated codebases. Work through each section before launch — every unchecked item is an open vulnerability.

## Key Points

- [ ] All HTTP traffic redirects to HTTPS (301)
- [ ] TLS 1.2+ only (no TLS 1.0/1.1)
- [ ] Strong cipher suites configured
- [ ] Certificate auto-renewal (Let's Encrypt / ACM)
- [ ] SSL Labs test: A+ rating (`ssllabs.com/ssltest/`)
- [ ] HSTS header present on all HTTPS responses
- [ ] `includeSubDomains` enabled
- [ ] Submitted to HSTS preload list (hstspreload.org)
- [ ] CSP header configured
- [ ] No `unsafe-inline` for scripts (use nonces if needed)
- [ ] No `unsafe-eval`
- [ ] `frame-ancestors 'none'` (prevents clickjacking)