Content

• Spell-check copy
• Check links are correct
• Check the website is retina compatible
• Set favicon
• Customize the default error views
• Check you have dumb 500 error pages, the least logic in it minimizes the risk of infinite break redirects
• Test target browsers compatibility
• Guarantee the application is mobile-friendly: http://bit.ly/ggl-mobile-friendly-tool

Accessibility

• Check accessibility on Wave: http://bit.ly/wave-web-tool

SEO & Analytics

• Configure Google Tag Manager: http://bit.ly/tag-manager-tool
• Run Google Webmasters Tools: http://bit.ly/ggl-webmasters-tools
• Make a robots.txt
• Make a sitemap.xml
• Check pages have descriptive and unique titles
• Check meta descriptions are unique

Performance

• Check HTML, CSS and JS files are minified
• Guarantee correct viewport <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">: http://bit.ly/boot-starter-template
• Check performance on Google Page Speed: http://bit.ly/ggl-page-speed-tool
• Check performance on GTmetrix: http://bit.ly/gtmetrix-tool
• Scan your site on webhint: http://bit.ly/webhint-tool

Transactional Emails

• Check if email templates are correct
• Configure SendGrid, Mailgun, or another transactional email service
• Set an automatic BCC for admins
• Save metadata of every email sent

Monitoring

• Check no sensitive data is being logged
• Check if logs are prefixed according to task/feature
• Configure Papertrail or another logging service
• Set Papertrail alerts and integrate with Slack and email
• Configure Sentry or another error tracking service
• Configure Uptime monitoring
• Configure New Relic or another application monitoring service

Security

• Check the SaaS CTO Security Checklist: http://bit.ly/sqreen-security-checklist
• Run Observatory: http://bit.ly/mozilla-observatory
• Add all accesses of third-party tools to LastPass, or other password manager service
• Update OAuth callback/deauthorize URLs in all third-party services
• Rotate OAuth keys of all third-party services
• Change passwords of all third-party services
• Check if buckets/blob storages of AWS/Azure are private
• Setup AWS S3 buckets encryption
• Check interactive shells are read-only

DNS

• Check records
• Check TTL, set low when launching, set high after everything is fine
• Configure a custom domain
• Move API to a different subdomain (like api.example.org), this allows a different server for frontend
• Enforce or remove www subdomain

Server

• Check if latest server stack is being used
• Check if latest server OS version is being used
• Check if latest server Python version is being used
• Configure Redis maxmemory and eviction policy (likely volatile-ttl)
• Configure RabbitMQ: http://bit.ly/rabbitmq-production-checklist
• Configure SSL for everything
• Test SSL health: http://bit.ly/ssl-server-test
• Configure SSL certificates autorenewal
• Tune PostgreSQL settings: http://bit.ly/pgtune-tool
• Configure database backups generation scripts
• Configure entire database server disk backup
• Guarantee Celery and other services aren't running as sudo
• Configure application firewall for application servers
• Limit file size for uploads
• Validate uploads media types
• Configure throttling
• Configure autoscaling
• Enable HTTP/2
• Check if all services are able to handle autoscaling upper limits. (Eg.: will your Redis be able to handle connections if X servers are provisioned)
• Configure DNS/caching
  • Enable Brotli Compression
  • Check and enable the speed features that don't interfere with your application
• Enable other speed/WAF features