Production Rollout Checklist: A Complete Guide to Firebase & App Hosting Deployment

Deploying to production can be nerve-wracking, especially when you’re dealing with databases, secrets, and live user traffic. Having worked through countless deployments, I’ve learned that a systematic checklist is your best friend when it comes to smooth, error-free rollouts.

Here’s my battle-tested production deployment checklist that covers everything from database preparation to post-deployment verification.

Pre-Deployment: Database & Infrastructure Setup

1. Prepare Firestore Database

Why this matters: Your production database needs to be properly configured before any application code touches it.

• Create production Firestore database (if not already exists)
• Configure database location (choose region closest to your users)
• Set up database indexes for your queries
• Verify database structure matches your application schema
• Import seed data if required (reference data, initial configurations)
• Test database connectivity from your local environment

Pro tip: Always create your indexes before deployment. Missing indexes in production will cause query failures and poor performance.

2. Apply Firestore Security Rules

Why this matters: Security rules are your first line of defense against unauthorized data access.

// Example production-ready security rules
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Users can only access their own data
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
    
    // Public read access for certain collections
    match /public/{document} {
      allow read: if true;
      allow write: if request.auth != null && 
        resource.data.createdBy == request.auth.uid;
    }
  }
}

• Review and update security rules for production
• Test rules thoroughly with different user scenarios
• Deploy rules to production using firebase deploy --only firestore:rules
• Verify rules are active in Firebase Console

Backend Deployment & Configuration

3. Prepare Backend/App Hosting

Why this matters: Your backend needs to be configured specifically for production workloads.

• Review application configuration for production settings
• Update database connection strings to production instances
• Configure logging levels (typically INFO or WARN for production)
• Set up health check endpoints for monitoring
• Review resource allocation (CPU, memory, scaling settings)
• Test application locally with production-like configuration

4. Environment Variables & Configuration

Critical step: Your application behavior changes dramatically based on environment configuration.

• Set NODE_ENV=production (or equivalent for your runtime)
• Configure production API endpoints
• Set production feature flags
• Update CORS settings for production domains
• Configure production logging destinations

Important note: Many applications check for NODE_ENV=production to enable production optimizations, so this step is crucial.

Secrets Management

5. Create and Configure Secrets

Why this matters: Hardcoded secrets are a security nightmare. Proper secret management is non-negotiable.

• Identify all secrets needed (API keys, database passwords, JWT secrets)
• Create secrets in Secret Manager:

# Create each secret
gcloud secrets create database-password --data-file=password.txt
gcloud secrets create api-key --data-file=api-key.txt
gcloud secrets create jwt-secret --data-file=jwt-secret.txt

• Document secret naming conventions
• Set up secret rotation schedule (where applicable)

6. Apply Secrets to Backend

• Grant access to secrets:

# First, list your projects to confirm you're in the right one
firebase projects:list

# Switch to your production project
firebase use <production-project-id>

# Grant access to each secret for your backend
firebase apphosting:secrets:grantaccess database-password --backend <backend-id>
firebase apphosting:secrets:grantaccess api-key --backend <backend-id>
firebase apphosting:secrets:grantaccess jwt-secret --backend <backend-id>

• Verify backend can access secrets in staging environment
• Test secret retrieval in your application code
• Confirm secrets are not logged anywhere

Deployment & Rollout

7. Create and Execute Rollout

Why gradual rollouts matter: Rolling out to 100% of users immediately is risky. Gradual rollouts let you catch issues early.

• Create rollout plan (5% → 25% → 50% → 100%)
• Deploy to production:

# Deploy your backend
firebase deploy --only apphosting

# Or deploy everything if needed
firebase deploy

• Monitor deployment status in Firebase Console
• Check application logs for errors
• Verify health checks pass

8. Test Production Linkage

Critical verification step: Just because deployment succeeded doesn’t mean everything works.

• Test database connectivity from production backend
• Verify API endpoints respond correctly
• Test authentication flows end-to-end
• Confirm secret access is working
• Check external service integrations (payment processors, email services, etc.)
• Monitor error rates and response times
• Test with real user scenarios

Domain & DNS Configuration

9. Add Custom Domain

User experience matters: Your production app needs a professional domain.

• Configure custom domain in Firebase Hosting
• Set up SSL certificate (Firebase handles this automatically)
• Configure DNS records at your domain registrar
• Test domain resolution and SSL certificate
• Set up domain redirects (www → non-www or vice versa)
• Update CORS settings to include new domain

Post-Deployment Tasks

10. Optional: Create Admin User

For applications with admin functionality:

• Create initial admin user through secure process
• Test admin functionality thoroughly
• Document admin access procedures
• Set up admin monitoring/alerting

Critical Success Factors

Environment Configuration is Key

The most common deployment issue I see is forgetting to set the environment to production. Many applications have different behavior based on this setting:

• Development: Verbose logging, debug features enabled, relaxed security
• Production: Optimized performance, minimal logging, strict security

Make sure your application code checks for the production environment:

// Example environment check
if (process.env.NODE_ENV === 'production') {
  // Enable production optimizations
  // Disable debug features
  // Use production database
}

Monitoring & Rollback Plan

• Set up monitoring dashboards for key metrics
• Configure alerting for errors and performance issues
• Prepare rollback procedure in case of critical issues
• Document incident response process

Post-Deployment Verification Checklist

After your rollout is complete, verify everything is working:

• All API endpoints respond correctly
• Database queries execute successfully
• Authentication works for all user types
• Email notifications are sent
• Payment processing works (if applicable)
• File uploads/downloads function
• External integrations respond
• Performance meets expectations

Common Gotchas to Avoid

1. Firestore indexes missing - Deploy indexes before your app code
2. Environment variables not set - Double-check all production configs
3. Secrets not accessible - Verify grant access commands worked
4. CORS issues - Update allowed origins for production domain
5. Rate limiting - Ensure production limits are appropriate
6. Caching issues - Clear CDN/browser caches after deployment

Conclusion

A systematic approach to production deployment reduces stress and prevents costly mistakes. This checklist has saved me countless hours of debugging and helped ensure smooth launches for dozens of applications.

Remember: measure twice, cut once. Taking extra time for thorough preparation and testing always pays off when you’re dealing with production systems and real users.

What deployment challenges have you faced? I’d love to hear about your experiences and any additions you’d make to this checklist.