SvelteKit implementation checklist

Verify svelte.config.js uses the correct adapter for the target environment (e.g., @sveltejs/adapter-cloudflare for Workers or @sveltejs/adapter-node for Docker).

Ensure all sensitive keys (Stripe secrets, DB strings) are imported from $env/static/private or $env/dynamic/private and never exposed in client-side code.

Set the ORIGIN environment variable on Node-based adapters to match the production domain to prevent cross-site request forgery.

Define the engine version in package.json to match the deployment runtime (e.g., node: '>=20.0.0') to avoid runtime syntax errors.

If using Cloudflare or Vercel Edge, verify that no Node-specific built-ins (fs, path, crypto) are used in server load functions.

Apply use:enhance to all <form> elements to ensure functionality when JavaScript is disabled or failing to load.

Validate request.formData() using a schema library like Zod inside server actions before processing data.

Use the fail() helper to return 4xx status codes and validation errors instead of throwing generic 500 errors.

Configure Drizzle or your ORM to use a connection pooler (like PgBouncer) to prevent connection exhaustion in serverless environments.

Return nested promises in load functions to stream non-critical data, preventing slow API calls from blocking the initial page paint.

Replace component-level writable stores with $state() runes to utilize the more efficient fine-grained reactivity system.

Define all component inputs using the $props() rune with TypeScript interfaces for compile-time safety.

Verify that all $effect() runes that initialize external listeners or timers return a cleanup function to prevent memory leaks.

Use $derived() or $derived.by() for computed values to ensure they are only recalculated when their dependencies change.

Convert repeated HTML patterns into @render snippets to reduce component overhead and improve maintainability.

Implement session validation in the handle hook to ensure user state is globally accessible via event.locals.

Ensure session cookies are configured with secure: true, httpOnly: true, and sameSite: 'lax' in production.

Enable and configure the csp object in svelte.config.js to restrict script sources and prevent XSS attacks.

Apply rate-limiting logic to sensitive routes like /login or AI-generation endpoints using a Redis-based middleware.

Manually sanitize any user-provided string that is rendered using the {@html} tag to prevent script injection.

Export const prerender = true for all routes that do not contain user-specific data to serve them via CDN.

Use a specialized image component or Vite plugin to serve WebP/AVIF formats and prevent layout shifts with fixed aspect ratios.

Add <link rel="preload"> tags in app.html for critical brand fonts to minimize Flash of Unstyled Text (FOUT).

Set appropriate setHeaders() in server load functions for public assets to leverage browser and edge caching.

Run vite-bundle-visualizer and remove any large libraries that can be replaced with native browser APIs or smaller alternatives.

Implement a <svelte:head> block in +layout.svelte or +page.svelte that pulls title and description from the load function data.

Ensure every page renders a <link rel="canonical"> tag based on the current page URL to avoid duplicate content penalties.

Configure an endpoint at /sitemap.xml that dynamically lists all crawlable routes using a library like super-sitemap.

Initialize Sentry or a similar service in hooks.server.ts and hooks.client.ts to capture runtime exceptions.

Verify that static/robots.txt exists and correctly points to the sitemap URL.