# Deployment checklist

Use this checklist before deploying your Financial Connections integration.

When integrating with Financial Connections on the web, refer to this checklist to ensure your users can use the [authentication flow](https://docs.stripe.com/financial-connections/fundamentals.md#authentication-flow) without issue.

- [ ] Check the Cross-Origin-Opener-Policy response header
      Configure the page that launches the authentication flow so that the `Cross-Origin-Opener-Policy` response header is `same-origin-allow-popups`, `restrict-properties`, or `unsafe-none`. Using a restrictive value such as `same-origin` might interfere with OAuth bank login flows. If your page doesn’t set a `Cross-Origin-Opener-Policy` header, it [defaults](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy#unsafe-none) to `unsafe-none`.

- [ ] Check the Referrer-Policy response header
      Configure the page that launches the authentication flow with a referrer policy that sends a `Referer` header to other origins. Either don’t send a `Referrer-Policy` response header or use a value such as `origin`, `origin-when-cross-origin`, `strict-origin`, or `strict-origin-when-cross-origin`. Using `no-referrer` suppresses the `Referer` header and might interfere with OAuth bank login flows.

      If your page contains a `<meta name="referer" />` tag, set its `content` value to one of `origin`, `origin-when-cross-origin`, `strict-origin`, or `strict-origin-when-cross-origin`.

- [ ] Check any iframe sandbox properties
      If the page that launches the authentication flow is displayed inside an `iframe`, include `allow-popups-to-escape-sandbox` in the `sandbox` property. Some OAuth flows don’t work inside a sandboxed `iframe`, so using a more restrictive `allow-popups` value breaks them. See the [MDN `iframe` documentation](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe#allow-popups) for a full description of these values.

- [ ] Test your integration in a sandbox
      Before enabling live traffic, [test your integration](https://docs.stripe.com/financial-connections/testing.md) using a [sandbox](https://docs.stripe.com/sandboxes.md). Use each of the **Test (OAuth)**, **Test (Non-OAuth)**, **Bank (OAuth)**, and **Bank (Non-OAuth)** institutions to link accounts.