DevChecklistKit
The ultimate checklist for web developers.
Ship faster, safer, and with confidence.
Use, copy, and share best practices for modern web projects.
npx dev-checklist-kit
dev-checklist-kit.md
# β
Website Deployment Checklist
## 1. Code & Functionality
- [ ] All pages load correctly (no 404s or errors) - add pages 404 or error page
- [ ] Forms work, validate properly, and handle invalid input
- [ ] No broken links (internal or external)
- [ ] Responsive design (mobile/tablet/desktop)
- [ ] Cross-browser tested (Chrome, Firefox, Safari, Edge)
- [ ] Console is free of JavaScript errors and warnings
- [ ] Third-party services (APIs, payments, embeds) are integrated and tested
- [ ] Routes and redirects function correctly (including 404 and 500 pages)
- [ ] Code is modular, reusable, and follows naming conventions
- [ ] Edge cases are handled (empty states, long content, offline mode)
- [ ] Loading and error states are implemented properly
- [ ] Lazy loading or code splitting is used where applicable
- [ ] State management works correctly and doesnβt leak data
- [ ] Inputs are sanitized to prevent XSS or injection attacks
- [ ] No sensitive data (tokens, secrets) exposed in frontend
- [ ] Async functions have error handling (try/catch or .catch)
- [ ] Important events (clicks, errors, user actions) are tracked (if analytics is used)
- [ ] Animations and transitions donβt block or break functionality
- [ ] Lighthouse performance score is above 80
- [ ] No framework warnings (e.g., React keys, hydration mismatches)
- [ ] Forms have protection against double submissions (e.g., disable button after click)
- [ ] Frontend enforces business rules (e.g., can't delete what wasn't created)
- [ ] Basic authentication/authorization works (if applicable)
## 2. Performance Optimization
- [ ] Images are optimized (compressed without quality loss)
- [ ] CSS/JS is minified
- [ ] Lazy loading is enabled for large assets
- [ ] Code splitting and tree shaking (if using frameworks like React/Vue)
- [ ] CDN is configured for static assets (if needed)
- [ ] Lighthouse or PageSpeed scores are acceptable
π§ Extended Checklist (Advanced / Often Missed)
- [ ] Critical CSS is inlined
- [ ] Fonts are optimized and loaded efficiently (e.g., font-display: swap)
- [ ] HTTP/2 or HTTP/3 is enabled
- [ ] Third-party scripts are audited
- [ ] Preconnect / DNS-prefetch / Preload hints are used wisely
- [ ] JavaScript is deferred or loaded async when possible
- [ ] Avoid excessive DOM nodes
- [ ] Server response times (TTFB) are optimized
- [ ] Set caching policies (Cache-Control / ETag)
- [ ] Use efficient data formats (e.g., JSON over XML, Brotli compression)
## 3. SEO & Metadata
- [ ] Title tags and meta descriptions for all pages
- [ ] Open Graph and Twitter meta tags for social sharing
- [ ] Sitemap.xml is generated and linked in robots.txt
- [ ] Robots.txt is present and configured correctly
- [ ] Canonical tags are set to avoid duplicate content
- [ ] H1-H6 hierarchy is logical
## 4. Security
π Authentication & Authorization
- [ ] Admin/dashboard is protected with proper authentication π§
- [ ] Sessions are secure (HTTPOnly, Secure, SameSite cookies or secure tokens)
- [ ] Rate limiting is applied to login and sensitive endpoints (e.g., express-rate-limit)
- [ ] Passwords are hashed securely using bcrypt, Argon2, etc.
- [ ] Roles and permissions are enforced server-side
π Network & Transport
- [ ] HTTPS is enforced (SSL/TLS installed, 301 redirects from HTTP)
- [ ] HSTS headers are set (Strict-Transport-Security)
- [ ] CORS is properly configured and restrictive
π§Ό Input & Output Handling
- [ ] Input validation & sanitization in place (use libraries like valibot, zod, express-validator)
- [ ] Outputs are encoded to prevent XSS (especially user-generated content)
- [ ] File uploads are validated for type and size
- [ ] No eval / Function() or insecure dynamic code π§
π§° Dependencies & Infrastructure
- [ ] Dependencies are up-to-date and scanned for vulnerabilities (npm audit, snyk, dependabot)
- [ ] Environment variables are not exposed to client
- [ ] Error messages donβt expose stack traces or sensitive data
- [ ] Backend is not exposing internal logic or debug routes π§
- [ ] Database access is protected (no open ports, use firewalls) π§
π‘οΈ Headers & Browser Protections
- [ ] Security headers are set (helmet, Content-Security-Policy, X-Frame-Options, etc.)
- [ ] CSP (Content Security Policy) blocks inline scripts and limits resources
- [ ] CSRF protection is in place for state-changing operations
π Attack Surfaces & Testing
- [ ] Common OWASP vulnerabilities are tested against (XSS, CSRF, SSRF, etc.) π§
- [ ] Vulnerability scanning is performed (e.g., OWASP ZAP, nmap, nikto)
- [ ] Logs are monitored for unusual activity π§
- [ ] 2FA is enforced for admin accounts (if applicable) π§
## 5. Analytics & Monitoring
π Basic Analytics
- [ ] Google Analytics (or alternative) is installed Plausible (lightweight, GDPR-friendly), Matomo (self-hosted option), Fathom
𧩠Event & Custom Tracking
- [ ] Custom events and goals are defined. Track specific interactions like clicks, signups, purchases β not just pageviews.
Tool: Google Analytics 4 (GA4), or gtag("event", ...) for custom tracking.
- [ ] Consent-based tracking is respected
π¨ Error Logging
- [ ] Frontend error logging is enabled (e.g., Sentry, LogRocket, Bugsnag)
- [ ] Backend error logging is in place
Tools: Winston, Logtail, Sentry, Datadog
- [ ] Alerts are configured for critical issues
π Performance Monitoring
- [ ] Core Web Vitals are tracked over time
Tools: Google Analytics 4 (enable Web Vitals), Calibre, SpeedCurve
- [ ] Real User Monitoring (RUM) is active
Tools: Datadog, Pingdom, New Relic, LogRocket
β±οΈ Uptime & Availability
- [ ] Uptime monitoring is configured
Tools: UptimeRobot (Free for 5 monitors), Updown.io, Better Uptime
- [ ] Downtime alerts go to the right person/channel
- [ ] SSL and domain expiration alerts
Tool: Updown.io or use whois tools with notification services.
## 6. Accessibility (a11y)
- [ ] Images have alt text
- [ ] All images have descriptive alt text, or empty alt="" if decorative
- [ ]Form fields have associated