Skip to content
HeadlessWP Pro

Deployment checklist

A practical checklist for shipping headless WordPress safely.

Deployment checklist

Use this checklist when moving from staging to production for the HeadlessWP Pro site and portal.

Preflight checklist

  • Confirm all release checks pass (lint, typecheck, test, build, and release:preflight).
  • Confirm Node 22 is used in local and CI environments.
  • Confirm environment variables are set per environment and secrets are loaded from your secret manager.
  • Confirm no temporary development origins or debug-only settings remain enabled.

Environment and URL sanity checks

  • Verify the public app URL points to the correct environment (NEXT_PUBLIC_SITE_URL).
  • Verify SECURE_ORIGIN points to the intended WordPress origin for that environment.
  • Verify HTTPS is enabled end-to-end for app and WordPress origins.
  • Verify WordPress REST responds at GET /wp-json/.
  • Verify production CORS allowlists do not include local development origins.

Proxy boundary reminders (/api/secure)

  • Browser requests must call same-origin Next.js routes only.
  • The browser must not call SECURE_ORIGIN directly.
  • All WordPress calls must flow through /api/secure/**.
  • Keep proxy behavior deny-by-default and route allowlist-driven.
  • Keep proxied JSON responses no-store to avoid user-data cache leaks.

Nonce and cookie session checklist

  • Verify nonce bootstrap works via GET /wp-json/headlesswp/v1/nonce through the proxy.
  • Verify mutating requests send X-WP-Nonce as required by the proxy boundary.
  • Verify authenticated user-specific reads routed through /api/secure/** include nonce where required.
  • Verify login and logout flows correctly set and clear cookie session state.
  • Verify secure cookie handling remains intact at the proxy boundary (host-only, Path=/, secure attributes preserved).

Observability checklist

  • Verify each proxied request includes a correlation ID suitable for support triage.
  • Verify logs are enabled in production and redact sensitive data (cookies, nonce values, credentials).
  • Verify security event logging and retention posture are defined.
  • Verify on-call/support runbooks require correlation IDs in incident tickets.

Launch checklist

  • Run self-test/health checks on staging and production.
  • Canary deploy and validate one auth flow (login then /me).
  • Validate one commerce or subscription journey relevant to your release.
  • Check baseline metrics after launch (auth failures, 429, and 5xx trends).
  • Record rollout status and rollback criteria before full traffic cutover.