Skip to content
KeystoneJS LogoKeystoneJSv5

Production Readiness Checklist

Yes, KeystoneJS can be (and is!) used for production websites. Here's a handy list of tips for using KeystoneJS with real workloads:

Secure Cookies

In production builds, KeystoneJS' secureCookies defaults to true. Make sure your server is HTTPS-enabled when secureCookies is enabled or you will be unable to log in.

Session Handling

Make sure the production deployment sets a long, unguessable value for KeystoneJS' cookieSecret.

A randomly generated value is suitable (but keep it secret):

openssl rand -hex 32

Session Store

Sessions are stored inside the KeystoneJS app by default, but in production it's recommended to store them in an external server such as Redis instead. You can use any of the stores that work with express session. The advantages of using an external server are that

  • You can restart your app for upgrades without breaking sessions
  • You can replicate your KeystoneJS app for availability, while keeping sessions consistent

This option can be set in the Keystone constructor.


Improve performance and responsiveness by adding cache hints to your lists and fields.

Access Control

Configure access control to limit who can do what with your data.

DoS Hardening

Add query limits and validation to protect your server against maliciously complex queries.

Using Reverse Proxies

NB: If you're using a third-party hosted environment, you might already be using a reverse proxy, but Keystone will need to be configured for it.

It's recommended to run production Javascript servers behind a reverse proxy such as Nginx, HAProxy, a CDN or a cloud-based application (layer 7) load balancer. Doing that can improve performance and protect against Slowloris Dos attacks.

Environment Variables

Don't forget to set the NODE_ENV environment variable to production when running. Many npm libraries check this to enable production mode.

NODE_ENV=production keystone start


If you care about your app, you'll want to know if something bad happens to it. There are many uptime monitoring service providers who'll regularly ping your app and notify you if it stops working.

Have you found a mistake, something that is missing, or could be improved on this page? Please edit the Markdown file on GitHub and submit a PR with your changes.

Edit Page