Section 04 · Infrastructure & Setup

Environments

Environment tiers, configuration, protection, and deployment verification

9 items 6 critical 3 recommended

This guide walks you through auditing a project's environment setup, configuration, and protection.

The Goal: Production Parity

Staging should behave exactly like production so bugs surface before release, not after. Dev environments should enable deep debugging. Non-production environments should be invisible to the public internet.

  • Tiered — production, staging, and dev environments with clear workflows
  • Parity — staging runs in production mode with matching env vars
  • Debuggable — dev environments have verbose logging and stack traces
  • Protected — staging and dev behind Cloudflare Zero Trust
  • Verified — webhooks bypassing Zero Trust validate signatures

Before You Start

  1. Confirm you're in the target repository's root directory
  2. Have staging and dev URLs ready for browser testing
  3. Have Cloudflare account ID and API token available (for ENV-008)
  4. Have the user available for questions about environment architecture

environment-tiers

ENV-001
Production environment exists critical

Production environment deployed, deployment method documented, visible in CI history

“How is production deployed — does the whole team know?”
ENV-002
Staging environment exists critical

Staging environment deployed, deployment method documented, visible in CI history

“Shipping straight to prod because staging is too painful?”
ENV-003
Dev environment(s) exist recommended

At least one dev environment for QA, method to deploy feature branches for testing

“Where does QA test feature branches before they hit staging?”

environment-config

ENV-004
Staging runs in production mode critical

NODE_ENV=production or equivalent, same build process as production

“Is staging running in dev mode and masking real prod issues?”
ENV-005
Dev environment has verbose logging recommended

Dev mode enabled, debug/verbose logging, stack traces visible for debugging

“Are stack traces visible locally, or are devs debugging blind?”
ENV-006
Staging env vars match production critical

Same env vars as prod except payment gateways (sandbox OK), email must use real provider

“What breaks in staging that works in prod due to different config?”
ENV-007
Production has minimal logging and user-friendly errors recommended

Log level info/warn/error, stack traces hidden from users, friendly error messages

“Are stack traces leaking to your users in production?”

environment-protection

ENV-008
Dev and staging protected with Cloudflare Zero Trust critical

Browser access requires authentication, verified via browser test and Cloudflare API

“Can someone stumble onto staging without any credentials?”
ENV-009
Webhooks bypass Zero Trust but verify signatures critical

Webhook endpoints verify signatures before processing if bypassing Zero Trust

“Zero Trust bypass path — is it guarded, or a wide-open door?”
← Previous section

Authentication & Endpoints

10 items

 Next section →

Database & Connections

9 items