It's recommended to follow the best practices to ensure your application's security and performance just before releasing the application. The checklist in this article is a good starting point, but does not claim to be exhaustive.
With regard to the app's backend, go through these tasks before releasing your app.
Tighten content type permissions
Go over all your content types and double-check their permissions.
- You might have relaxed certain permissions to ease development or testing. Turn them back to the values you have designed for them.
- Depending on your application type, you may want to completely forbid anonymous access to your content types, even for reading.
- If you rely on role-based permissions, ensure that the permissions for the various roles in your app are set according to your security design.
Tighten Business Logic permissions
Business Logic permissions are role-based.
- Ensure that you have a good role strategy.
- Ensure that you have assigned the minimum required permissions to each role.
Make secure requests to the backend
Ensure that you request the use of HTTPS when instantiating the Everlive instance.
Secure your Data Connectors
Ensure that you've implemented the security recommendations for setting up a Data Link Server in case you are using one.
Tighten push notifications security and upload production certificates
- Select the most restrictive push notifications security policy that allows you to achieve your goals.
- Ensure that you have uploaded the iOS production certificate and marked it as default. Many developers forget to switch from their development certificate to the production certificate.
Disable Business Logic logging and remove old logs
Business Logic logs work towards your application's total storage quota.
- Delete all log messages that have collected during development and testing. This ensures that your live app starts with full storage capacity.
- If you expect your Business Logic to create excessive logging, either completely disable it or configure a log retention policy.
Empty event subscriptions in Cloud Code
Avoid keeping empty event handlers, where the only thing that you do is call
done(). Such handlers take additional time to execute, decreasing performance. Either comment them out or delete them from your code.
Remove any master key usage from the client code
The master key is only meant to be used from secure code such as server-side code behind the company firewall or Cloud Code. You app code can easily be reverse-engineered to reveal your master key and is not considered secure.
- Search your app code for master key usage and remove it.
Remove any debug headers
Operations for which you specify the
X-Everlive-Debug header are run with debugging turned on. This may slow down you app.
- Search your app code for the header and remove it.
Subscribe for the status page
The page at status.telerik.com provides timely information about current incidents as well as the history of past incidents. You can subscribe for notifications over email, SMS, RSS, and Atom, which will allow you to notify your users about any maintenance or downtime expected.