MsgTrail
Archive
About

2018-02-01 9:22 — By Erik van Eykelen

Pre-Flight Website Checklist

Recently I was asked by a friend “what do I need to check before going live with a website?”. I compiled the following (incomplete) list of stuff that sprang to mind:

(in no particular order)

  • Use a spell checking browser extension e.g. for Chrome to check in-page spelling.
  • Is the use of capitalization the same across the site? (“About Us” vs “About us”).
  • Do sentences and titles end with a dot? Or only sentences and not for titles? Be consistent.
  • Use your browser’s find-in-page feature to check for “lorem” or your own favorite placeholder (xxx, todo, etc).
  • Do the links to the Terms of Service & Privacy Policy work?
  • Did you “borrow” legal texts and did you forget to replace someone else’s company name?
  • Is a favicon.ico in place? Working on iOS/Android too? Check out http://realfavicongenerator.net/.
  • Check all pages with the development console open. Check for JS/CSS errors.
  • HTML validate all pages (hang on why!) not because I feel all pages should be validating 100% but simply because you don’t want to have dangling unclosed tags which may cause browser-specific rendering issues (especially Firefox is or was vulnerable to this).
  • Check all pages using the device emulator in Chrome. At least iPhone 5-sized devices, iPad-sized devices, and laptop-sized devices should all render and scale properly.
  • Are images retina-optimized? Test on a Retina device as well as a non-retina device.
  • Check all pages and then check the browser history to see if all pages have meaningful <title>s.
  • Is robots.txt present? Google for the latest tips on keeping out irrelevant bots.
  • Can Facebook find the proper logo and other meta data? (Google for “Open Graph”).
  • Are all other SEO meta tags set up correctly? Keywords, description, other micro formats you want to support? Check out https://www.screamingfrog.co.uk/seo-spider/.
  • Is Google Analytics set up? Or (2019 edit) a more privacy-conscious service like https://simpleanalytics.io/.
  • Does nothing in the site rely on mouse over? Because mobile...
  • Can you click on the text of a checkbox? (and not only on the checkmark).
  • Are spaces before and after all form fields stripped in the controller? (except maybe for password fields). E.g. foo should be stored as foo.
  • Can you enter e.g. ë in name fields?
  • What happens if you enter “#><img src=x onerror=prompt(3);> in fields like name or address? Is this script executed e.g. in the CMS/backend when someone looks at the user’s profile? If so you have an XSS issue.
  • Injection attacks: check out https://www.owasp.org/index.php/Top_10_2013-Top_10. See https://github.com/brunofacca/zen-rails-security-checklist for a Rails-oriented checklist.
  • Fishing trip: try obtaining data from someone else by guessing IDs.
  • URL mangling: try changing GET request parameters.
  • Form mangling: try adding data or changing data in POST requests.
  • Try sign out and going back to authenticated pages: is authentication properly enforced?
  • After POSTing: is the user redirected to a new (2nd) page to prevent him from reloading the page and submitting the form again?
  • Can you delete things of yourself or others by changing the HTTP verb?
  • Has rate limiting (to mitigate brute-force login attacks) been set up?
  • Are assets not downloaded via S3 but via Cloudfront instead? S3 times out occasionally.
  • Are passwords encrypted using e.g. Bcrypt?
  • Is Gzip enabled on the web server?
  • If SVG is used: is this aligned/compatible with your target audience’s browsers?
  • Has SSL been set up correctly? Use https://badssl.com/ and https://www.ssllabs.com/ssltest/.
  • Have you recently moved the domain name to another registrar? DNSSEC may lag behind and especially Google’s DNSes are notoriously slow to catch up. Change the DNS on your dev machine to use 8.8.8.8 and 8.8.4.4 and reload the site a dozen times. No connection issues?
  • Has a secondary DNS been setup? It’s easy with DNSimple. This solves DDOS attacks on the primary DNS.
  • Has SPF and DKIM been setup for (transactional) emails? See http://www.appmaildev.com/en/dkim/.
  • Are cookies not used at all by client-side JS? Set httponly: true in that case.
  • Is the user redirected to https in case he lands on http?
  • Can users easily find where you are based? (city/country).
  • Can users easily find how to contact you? (email/phone).
  • Use the Chrome network tab to check for huge files that accidentally have not been scaled down.
  • Use Google’s Page Speed.
  • Use ImageOptim.app (for Mac) or a similar tool to reduce file sizes of images.
  • Check if videos on the site are optimized for streaming via HTTP.
  • Are JS files concatenated and minified? And placed all the way down in the body?
  • Are CSS files concatenated and minified (and loaded in the right order!).
  • Test the file using a slow connection (possible via Chrome dev console). It reveals issues with JavaScript events being fired in the wrong order, or assuming stuff is loaded which is actually not yet loaded.
  • Test using the latest version and previous version of Firefox, Safari, Chrome and IE. Use browserstack.com for this.
  • Check the postal addresses, email address and phone numbers: a surprising number of typos occur with this type of info. Call the number(s) to check if someone actually picks the phone. Are calls forwarded to a voicemail if no one picks up?
  • Have you licensed non-open source JS libraries? Same goes for stock images, videos and web fonts.
  • What happens if you double click on everything? A surprising number of users double click everything on the web because they have been trained to double click anything in Windows. This is a real issue and it causes a lot of headaches: forms being submitted twice, payments being made twice, etc. Best remedy is to disable form buttons using JS after the first click has been registered.
  • Can the user go back to the home page on every page? Most users look for a logo in the top-left corner.
  • Are 4xx/5xx pages in place?
  • Are backups in place?
  • Are you filtering out our own IPs from e.g. Google Analytics.
  • Is an XML sitemap set up?
  • Can e.g. invoices be printed (special print.css may be necessary).
  • Use a link checker: https://validator.w3.org/checklink or use the Check My Links Chrome extension.
  • Has uptime monitoring been setup?
  • Is Responsible Disclosure setup? See e.g. zerocopter.com or hackerone.com.
  • Is RSS setup for news page or blog (both as a link/button as well as discovery meta tag).
  • Has caching been setup in such a way that it is effective but not in such an aggressive way that it becomes hard to actually roll out updates? Ensure that e.g. timestamps are added to images etc so that on next deploy all assets (or only the updated assets) automatically get a new timestamp in their file names.
  • In case of developer-oriented site: has status.{domain}.{ext} been setup? Consider e.g. https://www.statuspage.io/.
  • Remove basic authentication from the production site (easy to forget because the credentials are cached by your browser).
  • Are you not always loading (large) JS files that are only needed on a few specific pages?
  • Has support@ or something similar been set up?
  • Are Twitter, Facebook, et cetera pointing to the correct (live) domain?

Check out my product Operand, a collaborative tool for due diligences, audits, and assessments.

See archive for older posts