Ruby on Rails implementation checklist

Verify RAILS_MASTER_KEY is present in the production environment and not committed to version control.

Set config.force_ssl = true in production.rb to ensure all traffic is encrypted and HSTS is enabled.

Configure middleware or load balancer to redirect non-www to www (or vice versa) to prevent session fragmentation.

Set config.log_level to :info and use ActiveSupport::TaggedLogging to include request IDs in logs.

Ensure SECRET_KEY_BASE is generated uniquely for production to secure cookie-based sessions.

Match the database pool size in database.yml to the sum of RAILS_MAX_THREADS and the concurrency level of background workers.

Verify that config.active_job.queue_adapter is set to :solid_queue and the database has the required schema migrations.

Confirm automated daily snapshots and WAL-G or similar point-in-time recovery is active for the production database.

Disable prepared statements in database.yml if using a connection pooler like PgBouncer in transaction mode.

Verify config.cache_store is set to :solid_cache_store and the dedicated cache table is indexed.

Ensure the /up endpoint returns a 200 OK and is correctly referenced in the deploy.yml healthcheck section.

Verify KAMAL_REGISTRY_PASSWORD is set in the local .env file and the deployer has push access to the Docker registry.

Confirm the Dockerfile includes 'RUN bundle exec rails assets:precompile' and all build arguments for CSS/JS are passed.

Configure buildx in deploy.yml if the deployment target architecture (e.g., ARM64) differs from the CI/CD runner.

Use the 'env: clear' and 'env: secret' blocks in deploy.yml to separate public config from sensitive credentials.

Configure the rack-attack gem to throttle login attempts by IP and prevent brute-force attacks on /users/sign_in.

Define a strict CSP in initializers/content_security_policy.rb to prevent XSS, specifically allowing Stimulus and Turbo origins.

Run 'bundle audit' and 'npm audit' to identify and patch known vulnerabilities in gems and node modules.

Configure the Permissions-Policy header to disable unused browser features like camera, microphone, and geolocation.

Ensure config.ssl_options = { hsts: true, subdomains: true } is active to prevent session hijacking.

Install and verify an error reporting client (Sentry, Honeybadger, or AppSignal) for the production environment.

Verify that Docker logs are being forwarded to a centralized logging service for post-deployment analysis.

Configure an external service to ping the /up endpoint every 60 seconds and alert on failure.

Set up jemalloc in the Dockerfile to reduce memory fragmentation and prevent OOM kills on small VPS instances.

Ensure monitoring is in place for the host machine's disk space, specifically for Docker image pruning and database growth.