This template is intentionally small. The items below are not fully implemented and should be added before production.
- Rate limiting and abuse protection
- CSRF protection for cookie-based auth
- Security headers (Helmet)
- Request body size limits + input validation for all routes
- Dependency vulnerability monitoring (SCA)
- Email verification flows
- Password reset flow and email provider integration
- MFA / 2FA (Better Auth plugins)
- Role-based access control (RBAC)
- Admin interfaces / user management UI
- OAuth2/OIDC refresh-token flows for third-party or long-lived clients (if needed)
- Centralized logs (ship Pino logs to a provider)
- Metrics (Prometheus/OpenTelemetry)
- Tracing for request correlation
- Error reporting (Sentry, Datadog, etc.)
- Database connection pooling limits & timeouts
- RabbitMQ retry, dead-letter queues, and backoff strategy
- Health checks for dependencies
- Graceful shutdown for workers
- Automated backups and restore testing
- Migrations in CI before deploy
- Seeds for staging environments
- CI/CD pipeline
- Secrets manager (Doppler, AWS Secrets Manager, Vault)
- TLS/HTTPS configuration
- Reverse proxy (Nginx, Traefik, or managed load balancer)
- Caching layer (Redis)
- Pagination & filtering on read endpoints
- Load testing baseline
- Horizontal scaling readiness
- Separate
.envfiles per environment - Staging environment for pre-prod validation
- Separate DBs per environment
- Audit logs
- Data retention policies
- GDPR/CCPA processes