I’d actually recommend removing some items from the list. Even if they’re good ideas, I wouldn’t consider some of these absolutely required, especially not in the context of MVP. “Use Distributed Denial of Service (DDOS) mitigation via a global caching proxy service like CloudFlare.” Does every website really need a CloudFlare? “Create all infrastructure using a tool such as Terraform” Does every website really need a Terraform? “Use centralized logging for all services. You should never need SSH to access or retrieve logs.” Not a bad idea, but it’s debatable and not exactly something I’d put on a security checklist for an MVP. Good read though.