How do you test a web app before calling it production ready?

by Nautillo

For those shipping web apps to clients or pushing to production, I am curious about your process.

Before you call something production ready, how do you validate security beyond basic scans?

In many projects I have reviewed, small issues pass unnoticed:

• An endpoint returns more data than expected
• Role checks are inconsistent across routes
• APIs expose internal assumptions
• Sessions can be reused in unintended flows

Individually these look minor.
Together they can create a path to real access or data exposure.

Static scans often flag isolated findings, but they do not show how weaknesses connect.

So I am interested in your approach.

Do you rely on:
• Automated scanners?
• Manual review?
• Threat modeling?
• External pentests?
• Nothing formal?

What does your “ready for production” security checklist look like?

Nautillo

posted to

Developers

on February 12, 2026

Say something nice to nautillo…

Post Comment

1

Hello @nautillo, Our web developers can help you with this. Contact us today

Liddell

·
22 days ago
·
Reply
1. 1
  
  Appreciate it, but this is exactly the gap I am pointing to.
  Most dev shops help build and fix features. Security usually ends at scans or checklist reviews.
  The issue is not missing tools. It is missing context on how issues connect.
  
  nautillo
  
  ·
  10 days ago
  ·
  Reply