Things to check before releasing your web application

This post originally started out as a list of tips on how to break web applications but quickly morphed into a pre-release checklist.

So here are a couple of things to validate before you press the ‘go-live’ button on that wonderful web application of yours.

General

1. Does the application handle extremely large input? Try copying a Wikipedia page into an input field. Strings can be too long and overflow database models.
2. Does it handle boundary values properly? Try extremely large or small values; Infinity is a good one.
3. Do you have validation? Try submitting forms with no entry.
4. Do you validate mismatched value types? Try submitting strings where numbers are expected.
5. Has all web copy been proofread and spell-checked? Typos are bad for reputation.

Localization (L10n) and Internationalization (I18n)

1. Do you support Unicode? The Turkish i and German ß are two quick tests.
2. Do you support right-to-left languages? CssJanus is a great tool for flipping pages.
3. Time zones and daylight saving time changes.
4. Time formats: 12 and 24 hour clocks
5. Date formats: mm/dd/yyy vs dd/mm/yyyy
6. Currencies in different locales.

Connections

1. Does your web app work well on slow connections? You can use Chrome or Fiddler to simulate this.
2. What happens when abrupt network disconnections occur while using your web application?
3. Do you cut off expensive operations when the user navigates away or page is idle?

Usability + UX

1. Does the application work well across the major browsers you support (including mobile)?
2. Does the application look good at various resolution levels? Try resizing the window and see what happens.
3. Is your application learnable? Are actions and flows consistent through the application? For example, modal dialogs should have the same layout regardless of the action triggering them.
4. Do you have your own custom 404 page?
5. Do you support print?
6. Do error messages provide enough guidance to users?
7. Does your application degrade gracefully when JavaScript is disabled?
8. Are all links valid?

Security

1. Do you validate all input?
2. Are all assets secured and locked down?
3. Do you grant least permissions for actions?
4. Ensure error messages do not reveal sensitive server information.
5. Have you stripped response headers of infrastructure-revealing information? E.g. server type, version etc.
6. Do you have the latest patches installed on your servers and have a plan for regular updates?
7. Do you have a Business Continuity / Disaster Response (BCDR) plan in place?
8. Are you protected against the Owasp Top Ten?
9. Do you have throttling and rate limiting mechanisms?
10. Do you have a way to quickly rotate secrets?
11. Have you scanned your code to ensure no valuable information is being released?

Code

1. Did you lint your CSS and JS (see JSLint, JSHint, TSLint)?
2. Have all assets (JavaScript, CSS etc) been minified, obfuscated and bundled?
3. Do you have unit, integration and functional tests?

Performance

1. Have you run Google’s Page Speed and Yahoo’s YSlow to identify issues?
2. Are images optimized? Are you using sprites?
3. Do you use a CDN for your static assets?
4. Do you have a favicon? Helps to prevent unwanted 404s since browsers auto-request for them.
5. Are you gzipping content?
6. Do you have stylesheets at the top and JavaScript at the bottom?
7. Have you considered moving to HTTP2?

Release Pipeline

1. Do you have test and staging environments?
2. Do you have automated release pipelines?
3. Can you roll back changes?

Others

1. Do you have a way to track errors and monitor this with logging?
2. Do you have a plan to handle customer reported issues?
3. Have you met all legal and compliance requirements for your domain?
4. Have you handled SEO requirements?

Conclusion

These are just a few off of my head – feel free to suggest things I missed out. I should probably consider transferring these to a Github repo or something for easier usage.