Content
- Spell-check copy
- Check links are correct
- Check the website is retina compatible
- Set favicon
- Customize the default error views
- Test target browsers compatibility
- Guarantee the application is mobile-friendly: http://bit.ly/ggl-mobile-friendly-tool
Accessibility
- Check accessibility on Wave: http://bit.ly/wave-web-tool
SEO & Analytics
- Configure Google Tag Manager: http://bit.ly/tag-manager-tool
- Run Google Webmasters Tools: http://bit.ly/ggl-webmasters-tools
- Make a robots.txt
- Make a sitemap.xml
- Check pages have descriptive and unique titles
- Check meta descriptions are unique
Performance
- Check HTML, CSS and JS files are minified
-
Guarantee correct viewport
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
: http://bit.ly/boot-starter-template - Check performance on Google Page Speed: http://bit.ly/ggl-page-speed-tool
- Check performance on GTmetrix: http://bit.ly/gtmetrix-tool
- Scan your site on webhint: http://bit.ly/webhint-tool
Transactional Emails
- Check if email templates are correct
- Configure SendGrid, Mailgun, or another transactional email service
- Set an automatic BCC for admins
- Save metadata of every email sent
Monitoring
- Check no sensitive data is being logged
- Check if logs are prefixed according to task/feature
- Configure Papertrail or another logging service
- Set Papertrail alerts and integrate with Slack and email
- Configure Sentry or another error tracking service
- Configure Uptime monitoring
- Configure New Relic or another application monitoring service
Security
- Check the SaaS CTO Security Checklist: http://bit.ly/sqreen-security-checklist
- Run Observatory: http://bit.ly/mozilla-observatory
- Add all accesses of third-party tools to LastPass, or other password manager service
- Update OAuth callback/deauthorize URLs in all third-party services
- Rotate OAuth keys of all third-party services
- Change passwords of all third-party services
- Check if buckets/blob storages of AWS/Azure are private
- Setup AWS S3 buckets encryption
- Check interactive shells are read-only
DNS
- Check records
- Check TTL, set low when launching, set high after everything is fine
- Configure a custom domain
-
Move API to a different subdomain (like
api.example.org
), this allows a different server for frontend - Enforce or remove www subdomain
Server
- Check if latest server stack is being used
- Check if latest server OS version is being used
- Check if latest server Python version is being used
-
Configure Redis maxmemory and eviction policy (likely
volatile-ttl
) - Configure RabbitMQ: http://bit.ly/rabbitmq-production-checklist
- Configure SSL for everything
- Test SSL health: http://bit.ly/ssl-server-test
- Configure SSL certificates autorenewal
- Tune PostgreSQL settings: http://bit.ly/pgtune-tool
- Configure database backups generation scripts
- Configure entire database server disk backup
- Guarantee Celery and other services aren't running as sudo
- Configure application firewall for application servers
- Limit file size for uploads
- Validate uploads media types
- Configure throttling
- Configure autoscaling
- Enable HTTP/2
- Check if all services are able to handle autoscaling upper limits. (Eg.: will your Redis be able to handle connections if X servers are provisioned)
-
Configure DNS/caching
- Enable Brotli Compression
- Check and enable the speed features that don't interfere with your application
- Enable other speed/WAF features