Web Development6 min read

The Next.js App Router Production Checklist: 20 Projects Later

After shipping 20+ production projects on Next.js 14 App Router, here are the non-obvious things we check before every launch.

T

TecVerse Team

Engineering · 2 April 2026

We've been shipping Next.js App Router projects since the stable release, and we've developed a pre-launch checklist that catches the things new teams consistently miss. This isn't about the basics — it's the stuff that bites you after go-live.

Rendering strategy is not set-and-forget

The most common mistake we see: developers apply force-dynamic to everything out of caution, or leave everything as static by default. Both are wrong.

  • Static pages (marketing, about, legal) → revalidate: 3600 or fully static
  • Semi-dynamic content (blog, portfolio) → revalidate: 600 with on-demand revalidation
  • Real-time content (contact, authenticated routes) → force-dynamic

Getting this wrong either hammers your database on every request or serves stale data at inopportune times.

Metadata and JSON-LD before you move on

Every page needs a unique title, description, and canonical URL. Every dynamic route needs generateMetadata() fetching from your data source — not a generic fallback. JSON-LD schemas should be verified in Google's Rich Results Test before launch, not after.

Security headers are not optional

Configure these in next.config.ts headers, not middleware. They need to cover all routes including static assets:

  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Strict-Transport-Security with 1-year max-age
  • A working Content Security Policy — unsafe-inline is acceptable, unsafe-eval only if your build requires it

Route protection for admin sections

Middleware running on the Edge should reject unauthenticated requests to /admin/* and /api/admin/* before they hit your server components. getServerSession() inside a server component is a second line of defence — not the first.

Image optimisation

Every <img> tag should be a Next.js <Image> component. Every external image domain should be in remotePatterns. Sizes should be specified — guessing at them costs Core Web Vitals points.

The things that always slip

In the rush to launch, teams consistently forget: robots.txt disallowing admin routes, a sitemap.xml that includes all dynamic content, 404 and 500 custom error pages, and rate limits on public API routes. All of these are ten-minute tasks that have a disproportionate impact.

The checklist we run through before every launch has 34 items. These are the ones that catch something on at least half our projects.

Next.jsApp RouterProductionChecklist

Ready to Build?

Let's Turn Your Vision Into Something Real

Whether you have a fully-formed brief or just a problem worth solving — we'd love to hear from you. First consultation is always free.

Start a ProjectSee Our Work
Free initial consultationNo lock-in contracts97% client retentionResponse within 24h