Go Live Checklist for Web Applications...

I was trying to think of a memorable summation of the go-live check lists that I have variously applied over my various releases. One of my much more competent than I ex-colleagues sent a quite comprehensive list, which I tried to break down into these categories;

  1. Does it work?
  2. Is is reliable?
  3. Is it secure?
  4. Are we legal?



 Does it work?

  • cross browser compatibility checks
  • cross device compatibility checks
  • content check, purge lorem ipsum and dummy content
  • dns propertly configured, e.g. alternatives http://blah.com


 Is it secure?


  • login forms, admin areas, sensitive information protected by SSL?
  • Input validation; form fields, file uploads
  • Output validation; sanitise output to prevent XSS attacks
  • Strong passwords for admin and services accounts
  • Developer and Test accounts deleted
  • Strong security policy applied to OS (e.g. least privileges)
  • Strong security policy applied to external service configurations (eg Apache)
  • OS and services Package updates applied (e.g. yum update or aptitude)

Is it reliable?

  • Web monitoring from remote locations
  • local service monitoring, eg nagios, monit
  • OS level metrics, such as munin to detect resource and capacity changes
  • Load and throughput performance profile for site before going live
  • Scaling strategy, caches, autodeploy
  • What are the hard bottlenecks? eg mysql
  • Understanding of tunable characteristics of platform

Are we legal?

  • Are all stock photos and content properly licensed?
  • Meet Data protection regulations
  • minimal accessibility requirements for government or non-profit projects
  • Are all developers and admins under suitable NDA for live data?


(this is not a comprehensive list, as now I have decided that I need something like an administrative category)