diff --git a/docs/docs.json b/docs/docs.json
index ac106be..db4af12 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -132,6 +132,7 @@
{
"group": "Operations Guides",
"pages": [
+ "v2/guides/operations/production",
{
"group": "Deployment",
"pages": [
diff --git a/docs/v2/configuration/overview.mdx b/docs/v2/configuration/overview.mdx
index 514c740..5c33d72 100644
--- a/docs/v2/configuration/overview.mdx
+++ b/docs/v2/configuration/overview.mdx
@@ -633,7 +633,13 @@ Meta configuration controls Flipt's internal behavior including update checks, t
| meta.check_for_updates | Enable check for newer versions of Flipt on startup | true | v2.0.0 |
| meta.telemetry_enabled | Enable anonymous telemetry data (see [Telemetry](/v2/configuration/telemetry)) | true | v2.0.0 |
| meta.state_directory | Directory on the host to store local state | $HOME/.config/flipt | v2.0.0 |
-| diagnostics.profiling.enabled | Enable profiling endpoints for pprof | true | v2.0.0 |
+| diagnostics.profiling.enabled | Enable profiling endpoints for pprof | false | v2.0.0 |
+
+
+ Changed in **v2.10.0**: diagnostics.profiling.enabled now defaults to false.
+ If you rely on pprof endpoints, explicitly set it to true in your
+ configuration.
+
## Deprecations
diff --git a/docs/v2/guides/operations/production.mdx b/docs/v2/guides/operations/production.mdx
new file mode 100644
index 0000000..61e8144
--- /dev/null
+++ b/docs/v2/guides/operations/production.mdx
@@ -0,0 +1,216 @@
+---
+title: "Production Readiness"
+description: "Key configuration options for operating Flipt v2 in production"
+---
+
+Flipt v2's default configuration is designed for local development and quick start. To run Flipt v2 reliably in production, you should review and adjust the following configuration options.
+
+## Logging
+
+Debug logging is useful during development or troubleshooting, but under load it consumes CPU and produces excessive noise that can bury important signals.
+
+Set the log level to `info` in production:
+
+
+
+
+ ```bash
+ FLIPT_LOG_LEVEL=info
+ ```
+
+
+
+
+ ```yaml
+ log:
+ level: info
+ ```
+
+
+
+
+For structured log output suitable for log aggregation systems, you can also set the encoding to `json`:
+
+
+
+
+ ```bash
+ FLIPT_LOG_ENCODING=json
+ ```
+
+
+
+
+ ```yaml
+ log:
+ encoding: json
+ ```
+
+
+
+
+See the [Observability documentation](/v2/configuration/observability) for more logging configuration options.
+
+## Profiling Endpoints
+
+Flipt exposes [pprof](https://pkg.go.dev/net/http/pprof) profiling endpoints at `/debug/pprof`. These are invaluable for debugging performance issues but can expose sensitive runtime information if publicly accessible.
+
+Disable profiling in production unless you actively need it:
+
+
+
+
+ ```bash
+ FLIPT_DIAGNOSTICS_PROFILING_ENABLED=false
+ ```
+
+
+
+
+ ```yaml
+ diagnostics:
+ profiling:
+ enabled: false
+ ```
+
+
+
+
+If you need profiling in production, restrict access to internal networks only.
+
+## Update Checks
+
+By default, Flipt v2 checks for newer versions on startup. This can be disabled in air-gapped or security-sensitive environments:
+
+
+
+
+ ```bash
+ FLIPT_META_CHECK_FOR_UPDATES=false
+ ```
+
+
+
+
+ ```yaml
+ meta:
+ check_for_updates: false
+ ```
+
+
+
+
+## Prometheus Metrics
+
+Flipt v2 exposes Prometheus metrics at the `/metrics` HTTP endpoint by default. Ensure this endpoint is not publicly accessible - restrict it via network policies, reverse proxy rules, or your ingress configuration.
+
+If you do not require metrics, you can disable them:
+
+
+
+
+ ```bash
+ FLIPT_METRICS_ENABLED=false
+ ```
+
+
+
+
+ ```yaml
+ metrics:
+ enabled: false
+ ```
+
+
+
+
+For production, Flipt also supports exporting metrics to an [OTLP](https://opentelemetry.io/docs/concepts/data-collection/) collector for integration with observability platforms such as Datadog, Honeycomb, or New Relic. See the [Observability documentation](/v2/configuration/observability) for more details.
+
+## CORS Configuration
+
+If you are integrating Flipt v2 with a client-side application (for example, a browser-based frontend built with React, Vue, Angular, or similar frameworks), you must enable and properly configure CORS to allow requests from your frontend domain. For security reasons, restrict `allowed_origins` to your known frontend URLs instead of using the wildcard `*`.
+
+
+
+
+ ```bash
+ FLIPT_CORS_ENABLED=true
+ FLIPT_CORS_ALLOWED_ORIGINS=https://app.example.com
+ ```
+
+
+
+
+ ```yaml
+ cors:
+ enabled: true
+ allowed_origins:
+ - "https://app.example.com"
+ ```
+
+
+
+
+## Storage Configuration
+
+Flipt v2 supports two storage backend types:
+
+- **`memory`** (default): In-memory store. Data is lost on restart.
+- **`local`**: Persists data to the local filesystem. Data survives restarts.
+
+Both backends can be paired with a git remote to sync flag state to and from a remote Git repository for persistence, history, and collaboration across deployments.
+
+For production, use the `local` backend with a git remote:
+
+```yaml
+storage:
+ default:
+ backend:
+ type: local
+ path: /var/lib/flipt
+ remote: https://github.com/your-org/flags.git
+ branch: main
+```
+
+For private repositories, you'll also need to configure credentials. See the [Storage documentation](/v2/configuration/storage) and [Git Sync guide](/v2/guides/operations/environments/git-sync) for more details.
+
+## Authentication and Authorization
+
+In production, you should enable authentication to control access to Flipt v2:
+
+
+
+
+ ```bash
+ FLIPT_AUTHENTICATION_REQUIRED=true
+ ```
+
+
+
+
+ ```yaml
+ authentication:
+ required: true
+ ```
+
+
+
+
+Flipt v2 supports multiple authentication methods including GitHub OAuth and OIDC. See the [Authentication documentation](/v2/configuration/authentication) for configuration details.
+
+For fine-grained access control, [configure RBAC policies using OPA-based authorization](/v2/configuration/authorization) to restrict what authenticated users can do.
+
+## Backup Strategy
+
+Flipt v2's Git-native storage means your feature flag data is already version-controlled in a Git repository. Ensure your backup strategy covers:
+
+- **Git repository**: The source Git repository should be backed up by your Git provider (e.g. GitHub, GitLab). Consider mirroring to a secondary repository for additional redundancy.
+- **Analytics data**: If using ClickHouse, ensure that data is backed up according to your organizational policies.
+
+## Next Steps
+
+- [Deploy to Kubernetes](/v2/guides/operations/deployment/deploy-to-kubernetes) — Deploy with our official Helm chart
+- [Git Sync](/v2/guides/operations/environments/git-sync) — Configure Git-backed storage
+- [Observability](/v2/configuration/observability) — Metrics, logging, and tracing
+- [Authentication](/v2/configuration/authentication) — Secure your Flipt instance
+- [Authorization](/v2/configuration/authorization) — Configure RBAC policies for fine-grained access control