It's recommended to follow the best practices to ensure your application's security and performance just before releasing the application. The checklist in this article is a good starting point, but does not claim to be exhaustive.
With regard to the app's backend, go through these tasks before releasing your app.
Go over all your content types and double-check their permissions.
- You might have relaxed certain permissions to ease development or testing. Turn them back to the values you have designed for them.
- Depending on your application type, you may want to completely forbid anonymous access to your content types, even for reading.
- If you rely on role-based permissions, ensure that the permissions for the various roles in your app are set according to your security design.
Business Logic permissions are role-based.
- Ensure that you have a good role strategy.
- Ensure that you have assigned the minimum required permissions to each role.
Ensure that you request the use of HTTPS when instantiating the Everlive instance.
Ensure that you've implemented the security recommendations for setting up a Data Link Server in case you are using one.
- Select the most restrictive push notifications security policy that allows you to achieve your goals.
- Ensure that you have uploaded the iOS production certificate and marked it as default. Many developers forget to switch from their development certificate to the production certificate.
Business Logic logs work towards your application's total storage quota.
- Delete all log messages that have collected during development and testing. This ensures that your live app starts with full storage capacity.
- If you expect your Business Logic to create excessive logging, either completely disable it or configure a log retention policy.
Avoid keeping empty event handlers, where the only thing that you do is call
done(). Such handlers take additional time to execute, decreasing performance. Either comment them out or delete them from your code.
The master key is only meant to be used from secure code such as server-side code behind the company firewall or Cloud Code. You app code can easily be reverse-engineered to reveal your master key and is not considered secure.
- Search your app code for master key usage and remove it.
Operations for which you specify the
X-Everlive-Debug header are run with debugging turned on. This may slow down you app.
- Search your app code for the header and remove it.
The page at status.telerik.com provides timely information about current incidents as well as the history of past incidents. You can subscribe for notifications over email, SMS, RSS, and Atom, which will allow you to notify your users about any maintenance or downtime expected.