Shipping PHP means more than uploading files. Use this checklist before go-live—frameworks automate much of it, but you should know what runs underneath.
Configuration
display_errors=Off,log_errors=On, sensibleerror_log- OPcache enabled with appropriate memory and validate_timestamps off in prod
- Secrets in environment variables, not committed files
- HTTPS everywhere; HSTS when stable
Application
- Prepared statements; least-privilege DB user
- CSRF on forms; secure session cookie flags
- File upload limits and non-executable storage
- Dependency audit:
composer audit
Operations
- Deploy script runs migrations; rollback plan exists
- Backups for database and user uploads
- Monitoring: 5xx rates, slow queries, disk space
- Rate limiting on auth and public APIs
Self-check
- Why disable display_errors in production?
- What does OPcache do?