McFly World ships Laravel applications for clients who need predictable uptime, auditable releases, and handover documentation procurement can file. This checklist is the minimum bar before we point a production hostname at new code.
Why this matters beyond “it works on my machine”
Production is where payments, personal data, and SLAs live. Misconfigured debug modes, orphaned queue workers, and cache drivers that do not survive horizontal scale create incidents that are expensive to explain to customers and regulators. Treat readiness as a risk register, not a vibe check.
Configuration and secrets
- Set
APP_DEBUG=falseandAPP_ENV=production; verify they are not overridden in server env layers. - Keep secrets out of git; use the host’s secret store or encrypted env. Rotate keys when staff or vendors roll off.
- Lock down
APP_URL, trusted proxies, and session domain so redirects and signed URLs behave behind CDNs and load balancers.
Queues, schedules, and failed jobs
Run queue workers under a process monitor (systemd, Supervisor, Kubernetes, or your platform equivalent). Log and alert on failed jobs — email, invoicing, and webhooks often fail silently until finance notices.
Schedule schedule:run via cron or a managed scheduler; document which tasks are business-critical and their expected completion windows.
Cache and sessions
Use Redis or another shared store when you scale beyond one app server. Document safe cache flush procedures for deploys so you do not evict sessions during checkout. Separate cache prefixes per environment to avoid cross-contamination.
Database migrations
For large tables, prefer expand–contract migrations: nullable columns first, dual-write or backfill jobs, switch reads, then enforce constraints. That pattern pairs directly with database changes without taking the site offline.
Observability and health
Ship structured logs, a lightweight /health or readiness endpoint, and uptime checks on login, checkout, and token issuance. Pair server logs with client-side error tracking for user-visible failures. Alerting should page someone who can act — not a shared inbox nobody reads.
Security and dependency hygiene
Enable HTTPS end-to-end, review CORS and rate limits on public routes, and keep Composer dependencies patched on a cadence. For APIs consumed by partners, align versioning and deprecation with API versioning patterns.
Release discipline
Tag releases, maintain changelogs for client-visible systems, and rehearse rollbacks (including database steps). Production readiness is process plus code — your operations team should be able to answer “what changed?” and “how do we undo it?” without opening Slack archaeology.
How we help
For end-to-end delivery, see services covering web, software, and cloud foundations, and portfolio for engagement patterns. To scope hosting, backups, and runbooks explicitly, review packages or request a proposal.
More engineering notes in Development on our blog.