Production Checklist

Before exposing your pipel8ne instance to users, go through this checklist.

Security

[ ] JWT_SECRET is a long random string (64+ hex characters, not a placeholder)
[ ] SECRETS_ENCRYPTION_KEY is exactly 32 bytes (64 hex characters, not a placeholder)
[ ] Both secrets are backed up in a secure location (password manager, secret manager)
[ ] Neither secret is committed to version control
[ ] MongoDB authentication is enabled — do not run MongoDB without a username/password
[ ] MongoDB is not exposed publicly — bind to localhost or use an internal Docker network
[ ] HTTPS is configured — use a reverse proxy (Nginx, Caddy) with a valid TLS certificate
[ ] NODE_ENV=production is set — this disables the Swagger UI at /docs
[ ] Public registration is disabled after creating accounts for your team (Settings → Administration)

Reliability

[ ] Automated MongoDB backups are scheduled (see Docker Deployment)
[ ] The backend is managed by a process manager (PM2, systemd, Docker restart policy) so it restarts on crash
[ ] Health check — verify the backend responds: curl http://localhost:3000/api/auth/registration-status

Network

[ ] Firewall rules — only ports 80 and 443 (or your proxy port) should be exposed to the internet
[ ] MongoDB port 27017 is firewalled from external access

Maintenance

[ ] Update policy — plan how you will pull updates (git pull + rebuild + restart)
[ ] Monitor disk space — MongoDB data and Docker volumes grow over time

Hardening MongoDB

When running MongoDB in Docker, ensure the Compose file uses authentication:

yaml

services:
  mongo:
    image: mongo:7
    environment:
      MONGO_INITDB_ROOT_USERNAME: pipel8ne
      MONGO_INITDB_ROOT_PASSWORD: ${MONGO_PASSWORD}
    volumes:
      - mongo_data:/data/db
    # Do NOT expose port 27017 to the host in production
    # ports:
    #   - "27017:27017"

Add MONGO_PASSWORD to your .env.

Recommended architecture (single server)

Internet
    │
    ▼
[Nginx + TLS :443]
    │
    ▼
[pipel8ne backend :3000]
    │
    ▼
[MongoDB :27017]  ← internal only, not exposed

All services on the same host. Nginx handles TLS termination and forwards requests to the backend. MongoDB listens only on localhost (or the Docker internal network).

Recommended architecture (separate services)

Internet
    │
    ▼
[Load Balancer + TLS]
    │
    ▼
[pipel8ne backend]  (multiple instances possible)
    │
    ▼
[MongoDB Atlas or managed MongoDB]  ← TLS connection required

Use MongoDB Atlas or a managed database provider for automatic backups, replication, and failover.

Production Checklist ​

Security ​

Reliability ​

Network ​

Maintenance ​

Hardening MongoDB ​

Recommended architecture (single server) ​

Recommended architecture (separate services) ​