Skip to content

PRODUCTION_HARDENING_CHECKLIST.md

Latest commit

 

History

History
64 lines (48 loc) · 2.97 KB

PRODUCTION_HARDENING_CHECKLIST.md

File metadata and controls

64 lines (48 loc) · 2.97 KB

Tickify Production Hardening Checklist

1. Security Baseline

  • Role-based route protection enabled for JSP and servlet endpoints.
  • Global security response headers configured.
  • New and seeded passwords stored with PBKDF2 hashes.
  • Legacy plaintext passwords remain login-compatible during migration window.
  • Force HTTPS at reverse proxy/load balancer.
  • Set HttpOnly, Secure, and SameSite for session cookies at container level.
  • Rotate all default seeded account passwords before go-live.

2. Authentication and Authorization

  • Unauthorized access to role routes returns redirect or 403.
  • Session-based role checks enforced for Admin, Client roles, and Scanner role.
  • Add account lockout policy for repeated failed logins.
  • Add password reset flow with signed expiring tokens.
  • Add admin audit logs for privilege-sensitive actions.

3. Input Validation and Data Integrity

  • Registration rejects blank fields and weak credentials (<8 chars).
  • Email normalization and role validation enforced on auth path.
  • Add server-side institutional domain validation for student-only events.
  • Add stronger password policy (upper/lower/number/special).
  • Add unique index checks and conflict responses for duplicate accounts.

4. Scanner Readiness (Security Scanner)

  • Scanner dashboard includes manual validation fallback with immediate result feedback.
  • Basic vibration/audio feedback implemented for success/failure outcomes.
  • Integrate live camera scanning endpoint and decode service.
  • Add replay protection for already-used ticket codes.
  • Persist scanner validation logs with guard ID and timestamp.

5. Client Site Readiness

  • Landing, selection, login, and signup flows modernized and responsive.
  • Registration success and failure messaging implemented.
  • Add CSRF protection tokens to all POST forms.
  • Add rate limiting and bot detection for login and signup routes.
  • Add accessibility checks (keyboard tab order, contrast, aria labels).

6. Admin Console Readiness

  • Admin dashboard replaced with operational control surface.
  • Connect dashboard metrics to real database aggregates.
  • Add event create/update/delete admin workflow with validation.
  • Add financial report export and reconciliation view.
  • Add guard and manager provisioning workflow.

7. Operations and Deployment

  • Install Ant in build environment (apt install ant) and run ant clean compile.
  • Verify GlassFish datasource and Derby/Oracle connectivity in target environment.
  • Externalize DB host/user/password through environment-specific config.
  • Configure centralized logging and error tracing.
  • Add automated backup/restore for database.
  • Run smoke tests for all roles: Admin, Attendee, Presenter, Event Manager, Venue Guard.

8. Final Go-Live Gate

Release only when all unchecked items above are completed or explicitly risk-accepted by the project owner.