Complete this checklist before deploying FootyCollect to production. This ensures all security settings are configured and the application is production-ready.
Pre-Deployment Checklist Use this comprehensive checklist to verify your production deployment.
Django Configuration
DEBUG Disabled
Critical Security : DEBUG=True exposes sensitive information including settings, environment variables, and stack traces.
Verify: grep "DJANGO_DEBUG" .env # Should show: DJANGO_DEBUG=False
This is validated by config/checks.py:20.
Secure SECRET_KEY
Generate a unique, random SECRET_KEY: python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'
Requirements:
Minimum 50 characters (config/checks.py:17)
Unique per environment
Never use default value
Never commit to version control
DJANGO_SECRET_KEY = django-insecure-abc123... # BAD DJANGO_SECRET_KEY = u8v #^9xzq...50+chars... # GOOD
ALLOWED_HOSTS Configured
Set specific domain names (no wildcards): DJANGO_ALLOWED_HOSTS = yourdomain.com,www.yourdomain.com
Do NOT use: DJANGO_ALLOWED_HOSTS = * # Insecure!
Validated by config/checks.py:300.
Admin URL Changed
Change from default /admin/ to prevent automated attacks: DJANGO_ADMIN_URL = secret-admin-path/
Access admin at: https://yourdomain.com/secret-admin-path/ SSL/TLS Security
SSL Certificate Installed
Verify SSL certificate is active: # Test HTTPS curl -I https://yourdomain.com # Check certificate openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
Should show valid certificate from Let’s Encrypt or your CA.
HTTPS Redirect Enabled
Force all traffic to HTTPS: DJANGO_SECURE_SSL_REDIRECT = True
Test: curl -I http://yourdomain.com # Should return 301/302 redirect to https://
HSTS Configured
Enable HTTP Strict Transport Security: DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS = True DJANGO_SECURE_HSTS_PRELOAD = True
Verify header: curl -I https://yourdomain.com | grep -i strict-transport # Should show: Strict-Transport-Security: max-age=31536000; includeSubDomains
Secure Cookies
Configure cookie security: DJANGO_SESSION_COOKIE_SAMESITE = Lax DJANGO_CSRF_COOKIE_SAMESITE = Lax
Validated by config/checks.py:334. Database Security
Strong Database Password
Use a strong password for PostgreSQL: # Generate secure password openssl rand -base64 32
Requirements:
Minimum 16 characters
Mix of letters, numbers, symbols
Unique per environment
DATABASE_URL = postgresql://footycollect:strong-password-here@localhost:5432/footycollect_db
Database Connectivity
Test database connection: # Bare metal sudo -u postgres psql -d footycollect_db -U footycollect -c "SELECT 1;" # Docker docker compose -f docker-compose.production.yml exec postgres psql -U footycollect -d footycollect_db -c "SELECT 1;"
Validated automatically by config/checks.py:127.
Database Backups Configured
Verify backups are working: Bare metal :# Check backup directory ls -lh /var/www/footycollect/backups/ # Test manual backup sudo -u postgres pg_dump footycollect_db > test_backup.sql
Docker :# Test backup docker compose -f docker-compose.production.yml exec postgres backup # List backups docker compose -f docker-compose.production.yml exec postgres backups
Redis Configuration
Redis Connectivity
Test Redis connection: # Bare metal redis-cli ping # Should return: PONG # Docker docker compose -f docker-compose.production.yml exec redis redis-cli ping
Validated by config/checks.py:151.
Redis Password (Optional but Recommended)
For additional security, set Redis password: # /etc/redis/redis.conf requirepass your-redis-password
Update connection string: REDIS_URL = redis://:your-redis-password@localhost:6379/0
Storage Configuration
Storage Credentials Configured
Verify S3/R2 credentials are set: # Check storage backend grep STORAGE_BACKEND .env # For AWS S3 grep -E "DJANGO_AWS_" .env # For Cloudflare R2 grep -E "CLOUDFLARE_" .env
Validated by config/checks.py:268.
Static Files Collected
Test collectstatic uploads to S3/R2: # Verify configuration python manage.py verify_staticfiles # Collect static files python manage.py collectstatic --noinput # Check files are accessible curl -I https://your-bucket.s3.amazonaws.com/static/css/styles.css
CORS Configured (R2 Only)
If using Cloudflare R2 with custom domain, configure CORS: npx wrangler r2 bucket cors set your-bucket-name --file deploy/r2-cors-wrangler.json
Test fonts/static assets load without CORS errors in browser console. Email Configuration
SendGrid API Key Configured
SENDGRID_API_KEY = SG.xxxxxxxxxxxx DJANGO_DEFAULT_FROM_EMAIL = FootyCollect <noreply@yourdomain.com>
Sender Domain Verified
Verify domain in SendGrid:
SendGrid > Settings > Sender Authentication
Verify domain is authenticated
DNS records are configured
Test Email Delivery
# Django shell python manage.py shell
from django.core.mail import send_mail send_mail( 'Test Email' , 'This is a test email from FootyCollect.' , 'noreply@yourdomain.com' , [ 'your-email@example.com' ], fail_silently = False , )
Check inbox for test email. Error Tracking
Sentry DSN Configured
SENTRY_DSN = https://xxxxx@oxxxxx.ingest.sentry.io/xxxxx SENTRY_ENVIRONMENT = production
Test Sentry Integration
Trigger a test error: from sentry_sdk import capture_message capture_message( "FootyCollect production test" )
Verify event appears in Sentry dashboard.
Content Security Policy
Configure CSP to allow required sources: DJANGO_CSP_ENABLED = True DJANGO_CSP_IMG_SRC = 'self', data:, blob:, https://www.gravatar.com, https://cdn.footballkitarchive.com, https://your-bucket.s3.amazonaws.com
Test for CSP violations in browser console.
Verify Security Headers
Check all security headers are present: curl -I https://yourdomain.com
Should include:
Strict-Transport-SecurityX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: strict-origin-when-cross-originContent-Security-Policy
Test with Security Headers Analyzer
Use online tools to verify headers: Aim for A or A+ grade. Firewall and Network
Firewall Configured
Bare metal :# Check UFW status sudo ufw status verbose # Should show: # - 22/tcp (SSH) ALLOW # - 80/tcp (HTTP) ALLOW # - 443/tcp (HTTPS) ALLOW # - Default: deny incoming, allow outgoing
Docker :# Verify only required ports exposed docker compose -f docker-compose.production.yml ps # Should show 80:80, 443:443
Fail2ban Enabled (Bare Metal)
# Check fail2ban is active sudo systemctl status fail2ban # Check SSH jail sudo fail2ban-client status sshd
SSH Security
Harden SSH access: PermitRootLogin no PasswordAuthentication no # Use SSH keys only
sudo systemctl restart sshd
Service Health
All Services Running
Bare metal :sudo systemctl status gunicorn sudo systemctl status nginx sudo systemctl status postgresql sudo systemctl status redis
Docker :docker compose -f docker-compose.production.yml ps # All services should show "Up"
Health Endpoints
Test application health: # Basic health check curl https://yourdomain.com/health/ # Should return: {"status": "ok"} # Readiness check (includes DB) curl https://yourdomain.com/ready/ # Should return: {"status": "ready"}
Admin Access
Verify admin panel access: # Visit admin URL curl -I https://yourdomain.com/your-admin-url/ # Should return 200 OK or 302 redirect to login
Log in with superuser credentials. Django Deployment Checks
Run Django Checks
Run comprehensive deployment checks: python manage.py check --deploy
This validates (config/checks.py):
✓ DEBUG disabled (checks.py:20)
✓ SECRET_KEY secure (checks.py:40)
✓ Required environment variables (checks.py:83)
✓ Database connectivity (checks.py:127)
✓ Redis connectivity (checks.py:151)
✓ Storage credentials (checks.py:268)
✓ ALLOWED_HOSTS configured (checks.py:300)
✓ SSL/HTTPS settings (checks.py:334)
All checks must pass before production deployment.
Address Warnings
Fix any warnings reported by checks: python manage.py check --deploy 2>&1 | grep -E "WARNING|ERROR"
Common warnings:
Missing SENTRY_DSN (recommended)
ALLOWED_HOSTS contains wildcard
Missing storage credentials
Production Deployment Checklist Print and complete this checklist:
Django Configuration Security Database Redis Storage Email Monitoring Services Documentation Post-Deployment Monitoring After deployment, monitor for:
First 24 Hours
Monitor Sentry for errors:
Check error frequency
Review stack traces
Verify no critical errors
# Application logs sudo journalctl -u gunicorn --since "1 hour ago" # Nginx access logs sudo tail -100 /var/log/nginx/footycollect_access.log # Check for errors sudo tail -100 /var/log/nginx/footycollect_error.log
Ensure backups are running: # Check backup files ls -lh /var/www/footycollect/backups/ # Verify backup size is reasonable du -h /var/www/footycollect/backups/
First Week
Monitor disk space usage
Review user registration and activity
Check email delivery success rate
Verify SSL certificate auto-renewal is configured
Review Sentry performance metrics
Test database restore procedure
Ongoing
Weekly log reviews
Monthly security updates
Quarterly credential rotation
Regular backup restoration tests
Performance monitoring and optimization
Troubleshooting Checklist Failures
# View detailed check output python manage.py check --deploy --verbosity 2 # Check specific settings python manage.py shell >>> from django.conf import settings >>> settings.DEBUG False >>> settings.SECRET_KEY[:10] 'randomXXXX'
Health Endpoints Not Responding
# Check Gunicorn is running sudo systemctl status gunicorn # Check Gunicorn logs sudo journalctl -u gunicorn -n 50 # Test directly (bypass Nginx) curl http://localhost:8000/health/
# Verify collectstatic ran python manage.py collectstatic --dry-run # Check storage configuration python manage.py verify_staticfiles # Test S3/R2 connectivity python manage.py check --deploy | grep -i storage
Database Connection Errors
# Test PostgreSQL sudo -u postgres psql -d footycollect_db -U footycollect # Check DATABASE_URL format echo $DATABASE_URL # Verify pg_hba.conf allows connections sudo cat /etc/postgresql/ * /main/pg_hba.conf
Final Verification Before announcing your deployment:
Complete User Journey
Test the complete user experience:
Visit homepage via HTTPS
Register new account
Verify email received
Log in
Create an item
Upload a photo
View collection
Test search/filter
Log out
Load Test (Optional)
Basic load testing: # Install Apache Bench sudo apt-get install apache2-utils # Test 100 requests, 10 concurrent ab -n 100 -c 10 https://yourdomain.com/
Review response times and error rates. Congratulations! If all checklist items are complete and verified, your FootyCollect deployment is production-ready.
Quick Reference Commands # Run all deployment checks python manage.py check --deploy # Test health endpoints curl https://yourdomain.com/health/ curl https://yourdomain.com/ready/ # Verify static files python manage.py verify_staticfiles # Check services (bare metal) sudo systemctl status gunicorn nginx postgresql redis # Check services (Docker) docker compose -f docker-compose.production.yml ps # View application logs (bare metal) sudo journalctl -u gunicorn -f # View application logs (Docker) docker compose -f docker-compose.production.yml logs -f django # Database backup (bare metal) sudo -u postgres pg_dump footycollect_db > backup.sql # Database backup (Docker) docker compose -f docker-compose.production.yml exec postgres backup
Next Steps After completing the checklist:
Monitoring Setup Configure ongoing monitoring with Sentry, log aggregation, and uptime monitoring
Backup Strategy Implement automated backup rotation and test restoration procedures
Performance Tuning Optimize Gunicorn workers, database queries, and caching strategies
Scaling Plan for horizontal scaling with load balancers and multiple application servers
