Solanasis Docs

new-service-deployment-checklist

2 min read

New Service Deployment Security Checklist

Last updated: 2026-03-29 Policy: Every new internet-facing service MUST complete this checklist before the route/domain is created. No exceptions without Dmitri’s approval. Background: Created after the docs.solanasis.com exposure incident (2026-03-27).

Pre-Deployment (BEFORE creating the route)

  • Operational script exists first — do not script Cloudflare changes on the fly
  • Cloudflare Access app created from the docs baseline — OTP email auth for dmitri@solanasis.com, ds@solanasis.com, and mr.sunshine@solanasis.com
  • Session duration set24h baseline
  • No extra require/exclude rules — unless Dmitri approved an override before exposure
  • Override recorded first — if this service deviates from the docs baseline, record it in solanasis-scripts/security/config/cf_exceptions.json and service-inventory.md
  • robots.txt or X-Robots-Tag — configured to block all crawlers (unless intentionally public)
  • Rate limiting rule — if the service has login/API endpoints

Deployment

  • Create tunnel route or Pages custom domain — ONLY after all pre-deployment items are complete
  • Restart cloudflaredsudo systemctl restart cloudflared
  • Run compliance dry-runcloudflare_tunnel_policy.py apply --dry-run
  • Verify Access challenge — open URL in incognito, confirm OTP prompt before any content loads

Post-Deployment

  • Run baseline policy checkcloudflare_tunnel_policy.py check --json
  • Run full auditcloudflare_access_audit.py --output-dir ...
  • If this is a Pages project, verify pages.dev exposure — check the root pages.dev URL and a live preview alias, not just the custom domain
  • Update service-inventory.md — domain, method, status, Access policy
  • Update the Cloudflare Access exceptions section if applicable — category + reason + approval state
  • Update X-Robots-Tag Transform Rule — add new hostname to the expression
  • Verify WAF rules apply — check Security > Events for the new hostname
  • Update cloudflare-hardening-cheatsheet.md — add hostname to anti-indexing list

Certificate Transparency Warning

New certificates appear in CT logs within minutes. Automated scanners monitor CT logs and will discover and probe new subdomains within 24 hours. This is why Access MUST be in place BEFORE the route exists — there is no grace period.

Deployment History

DateServiceHostnameChecklist Followed
2026-03-28Directus CRMdb.solanasis.comYes (first use of this checklist)
2026-03-29Tunnel baseline standardizationerp / baserow / sm / edit / docs / dbYes

Graph View