Prototype to production

Audit every environment variable

Open your .env file. For each variable, decide whether it's safe to ship in your client bundle or whether it has to stay server-side. Client-safe: publishable keys, Supabase URL and anon key. Server-only: service role keys, database URLs, webhook secrets, and any key that spends money.

Any variable prefixed with NEXT_PUBLIC_ is baked into your JavaScript bundle — anyone can read it by viewing source. That's fine for keys designed to be public; it's catastrophic for your OpenAI key or your database URL.

# ✅ Client-safe (NEXT_PUBLIC_ → bundled into your JavaScript)
NEXT_PUBLIC_SUPABASE_URL=https://xxx.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...          # scoped by RLS — safe to ship
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_...

# ❌ Server-only (no NEXT_PUBLIC_ prefix)
SUPABASE_SERVICE_ROLE_KEY=eyJ...  # bypasses RLS — never expose
STRIPE_SECRET_KEY=sk_live_...     # can issue refunds and charges
DATABASE_URL=postgresql://...     # direct database access
OPENAI_API_KEY=sk-...             # someone will drain it

Keep .env out of git

Your .env file holds secrets. It has no business in version control. Check your git history: if .env was ever committed, rotate every secret in it — even if you deleted the file later. Git remembers everything, and public repos are scraped within minutes.

# Make sure .env is gitignored
echo ".env" >> .gitignore

# Has .env ever been committed? Find out:
git log --all --full-history -- .env

# If it was, rotate every secret inside. Assume it's public.

Push env vars to your hosting platform

A local .env is not enough. Set every server-side variable in your hosting dashboard so your deployed app actually has them. Vercel → Settings → Environment Variables. Railway → Variables. Render → Environment.

Cap spending on every paid API

If your app touches OpenAI, Anthropic, Resend, or any pay-per-use API, set a hard spending cap before launch. A runaway bug or an abusive user can turn into a four-figure bill overnight. Start with $20-50 while you find out what real usage looks like.

# Set limits in each provider's dashboard:
# OpenAI:     Settings → Billing → Usage limits → Hard cap ($20-50)
# Anthropic:  Settings → Plans & Billing → Monthly limit
# Supabase:   Settings → Billing → Spending cap
# Resend:     Settings → Billing → Rate limits

Pick a host and deploy

For Next.js: Vercel is the path of least resistance, with Netlify and Railway close behind. For plain React or Vite: Vercel, Netlify, or Cloudflare Pages. Connect your GitHub repo, set your environment variables, and the first deploy is minutes away.

Enable preview deployments

Vercel and Netlify spin up a unique preview URL for every pull request. Use them. Test changes on the preview URL before they ever touch production — it catches regressions that localhost misses. Free on every major platform.

Add a health check endpoint

A tiny `/api/health` route that confirms your app can reach the database. Uptime monitors (next section) ping this endpoint every minute so you find out your app is down before your users do.

// app/api/health/route.ts (Next.js)
import { NextResponse } from 'next/server';

export async function GET() {
  try {
    // Check database connection
    await db.query('SELECT 1');
    return NextResponse.json({ status: 'ok' });
  } catch {
    return NextResponse.json({ status: 'error' }, { status: 503 });
  }
}

Wire up error tracking

Users don't file bug reports — they leave. Sentry catches every crash in your app, server and client, and pings you with a stack trace detailed enough to actually fix the bug. Its free tier is more than enough for most early-stage apps.

# Install
npm install @sentry/nextjs

# Run the wizard — it configures everything for you
npx @sentry/wizard@latest -i nextjs

# Confirm it's working — throw a test error
throw new Error('Sentry test error');

Add product analytics

You need to know whether anyone is actually using the thing you built. Pick one: PostHog (free, open source, feature-rich), Plausible (lightweight and privacy-first), or Vercel Analytics (zero setup if you're already on Vercel).