
Web Developer Checklist - grantpalin
http://webdevchecklist.com/
======
eranation
Liked the favicon part, very often forgotten...

Would be nice if this was open sourced so more items could have been added by
the community (also framework specific checklists) but I like the concept

One thing I would add which is driving me crazy on mobile / tablet sign up
pages

    
    
      - make sure your email fields are annotated with type="email"
    

Another common issue is with SSL mixed content waring, so I would also add

    
    
      - make sure to use protocol relative / https only URLs 
    

(with a reminder to NOT use protocol relative URLs in email templates, your
outlook users will appreciate it)

~~~
loosepackets
> Would be nice if this was open sourced so more items could have been added
> by the community

<https://github.com/ligershark/webdevchecklist.com>

~~~
BCM43
It is open source, but I can't seem to find a license on that page, so it may
not be free software. I would be reluctant to modify and redistribute copies
of it.

~~~
madskristensen
An Apache 2.0 license has just been added

------
tokenadult
I see that Jakob Nielsen's venerable "Top 10 Mistakes in Web Design" checklist

<http://www.nngroup.com/articles/top-10-mistakes-web-design/>

just got new styling the other day, as I work on updating my seventeen-year-
old personal website.

There are still a LOT of websites that make several of those top ten mistakes.
They are higher priority than many of the other issues mentioned on the
checklist kindly submitted here. As other comments here have pointed out, it's
desirable in a checklist to establish priorities.

~~~
halfninety
Nice list, but I think it can be condensed into one:

Use your own site and make sure you don't hate it yourself.

~~~
onlyup
Simple but effective advice.

------
bwblabs
A no-www domain might not be the best solution if you ever want a 'Cookie-free
Domain' (static.) for images etc. which speeds up your site. If you start with
a no-www domain you have to setup a different domain (no subdomain) for it:
like sstatic.net for SO, ytimg.com for YT and yimg.com for Yahoo.

 _When the browser makes a request for a static image and sends cookies
together with the request, the server doesn't have any use for those cookies.
So they only create network traffic for no good reason. You should make sure
static components are requested with cookie-free requests. Create a subdomain
and host all your static components there._

 _If your domain is www.example.org, you can host your static components on
static.example.org. However, if you've already set cookies on the top-level
domain example.org as opposed to www.example.org, then all the requests to
static.example.org will include those cookies. In this case, you can buy a
whole new domain, host your static components there, and keep this domain
cookie-free._

[http://developer.yahoo.com/performance/rules.html#cookie_fre...](http://developer.yahoo.com/performance/rules.html#cookie_free)

~~~
retube
I never considered this before. A great tip, thanks

~~~
ZoFreX
Bear in mind that making sure requests for static content don't send cookies
is pretty far down the front-end optimisation ladder - there are normally a
lot of things you can do first that are quicker, easier, and have a bigger
impact.

~~~
bwblabs
Well another thing is that it's easier to setup GEO-ip stuff in a CNAME (so
www) instead of the root A records, for now at least in PowerDNS (used by
Wikipedia etc.). You're completely right, but if your sites ever scales to
something big you're not in the best position with a no-www, in my view having
a www record (and no-www redirect) has more benefits that a no-www.

------
vasco
Interestingly enough this website doesn't have:

1) Custom 404 page

2) robots.txt

3) PICS label

4) viewport meta-tag

5) Google Rich Snippets

6) Fails the recommended CSS validator

~~~
thehodge
It has the top items now..

~~~
rabz
Does it? I typed in <http://webdevchecklist.com/robots.txt> and it gave me a
bog-standard IIS 404 page, not a custom one.

~~~
debacle
At least it was nice enough to reveal a bunch of server information, right?

------
franze
sorry but that

    
    
       Remove 'www' subdomain
    

is just harmful. force 'www.' instead. why? shitty URL parsers, marketing
people and DDOS attacks, that's why.

let's imagine you write a

    
    
      - blog post
      - blog comment
      - press release (distributed via free and paid press release services)
      - mail
      - word
      - forum post
      - ...
      - ...
    

if you have a non-www URL it's a game of chance, your in text "whatever.tld"
domain will get transformed into a clickable link. yes, a lot of modern URL
parses will transform whatever.com into a clickable link, some will even
transform whatever.in into a useable link, but a lot of old, shitty, idiotic,
strange URL parsers won't. and well, a big part of the web, i would say most
of it, is not up to date. so using non WWW will lead to a loss of inlinks and
to a poor user experience of users who want to reach your site, but can't
click on the in-text-domain (they need to copy/paste instead)

and the situation will get worse with the new commercial TLDs to come.

yes, you can - in most cases - force a domain to link conversion in most CMS
if you write <http://> in front of it. but well, in a promo text most
marketing/pr people will not write "and <http://whatever.tld> has a new
feature to give people endless bliss" they will write "whatever.tld has a new
....".

oh, and by the way. whenever a journalist will write a piece about you, in
print or online, they will always (or at least in a lot of cases) write www in
front of your domain anyway. yeah, that's not an issue if you have redirects
in place, just annoying if you have an non-www webproperty.

plus

having a subdomain is another layer of defenses agains DDOS attacks. see this
discussion on hacker news from may 18 2011 (my birthday by the way)
<http://news.ycombinator.com/item?id=2575266>

go for www.

~~~
SquareWheel
And yet, I find no-www so much cleaner. With 301s it's generally not a
problem, and link parsers will look for the protocol anyway. I think the only
valid point is mitigating DDOS attacks, but I don't know enough about that
subject to comment.

~~~
franze
but in marketing, as in mails and comments, you or your loyal users do not
always write <http://> in front of your domain.

i consulted a sh-tload of companies on this question (and yes, i also think i
have better things to do), any company that chooses non-www URLs regrets it
down the road.

------
jiggy2011
Custom 404 page under usability? hmm.

I'm sure just about anyone who has used the web for any length of time has hit
the standard apache "Not found" page hundreds of times now and pretty much
knows what it means.

Custom 404 pages of often quite confusing as they will try to be clever and
redirect you to other content that may be interesting. Sometimes these aren't
clear and give the impression that the link was not broken and that this is
where the site designer intended you to go which leaves you looking around the
page for the content you thought you were going to get.

~~~
caseysoftware
I prefer the 404 pages that something to the effect of "Sorry, that is broken"
and then include the results of a site search of the keywords or friendly url
that was provided.

It's less confusing and keeps people on site.

~~~
rplnt
If you do this (which you should in my opinion), please return the 404 code.
For example Facebook used to return 200 on error. Very confusing.

~~~
caseysoftware
Absolutely, I assumed that was a given.

------
pdog
Would be nice to have this automatically generated for a given URL.

------
prodigal_erik
A document that bills itself as "The ultimate checklist for all serious web
developers" should not hide most of its content (via CSS) and require trusting
some unknown author's javascript to display it.

------
zxcdw
It's sad how "Security" there's only _one_ very generalizing item. "Implement
best practices". Right.

Is the author just ignorant, or am I a fool thinking that _if anything_ it
should be "Security" which has the most elaborate items?

~~~
Joeri
Security checklist:
[https://www.owasp.org/index.php/Category:OWASP_Application_S...](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project)

Lowest level 1a has 22 things to verify, highest level 4 has 121 things to
verify. That's a lot of checkboxes.

------
Flimm
I would add one: Make sure your log-in form is uncomplicated so that browsers
can remember passwords correctly.

------
danso
So "SEO" has four different checkboxes but "Security" has just one: "Implement
best practices"

Uh...I think that can be broken down to at least two different things...

~~~
pestaa
The second being 'cross your fingers'...?

------
karolisd
What would be the best approach to automate this so I could put in a URL and
it detects as much as it can about the website?

~~~
jstanley
I was thinking about this a couple of days ago. The way I would do it is to
submit it individually to each of the checks (e.g. W3C validator) and scrape
the results. There may be APIs available for some, I've not looked into that.

------
kylelibra
Good stuff, I'll probably use this for clients who say, "What have you been
doing? It looks done to me!"

~~~
pestaa
This drives me nuts. On the surface there is very little difference between
`just functional' and `production ready'. And it's a hard sell if the client
is not aware of the benefits.

------
fduran
Another nice list: [http://www.boxuk.com/blog/the-ultimate-website-launch-
checkl...](http://www.boxuk.com/blog/the-ultimate-website-launch-checklist)

------
mikle
I have a sublist of that, that I built over the last ~year of hacking on web
projects. One of my biggest to dos in each project is automate stuff like
validating. I still haven't really found a good way so I either go to w3c and
check everything once in a while or I just don't. Usually I just don't.

This to me is like a checklist of things to automate. Is there any "build"
system for the web?

------
malachismith
Great start. Wish it were set up to be collaborative so we could suggest some
of the missing elements.

~~~
skakri
Perhaps you could fork it
(<https://github.com/ligershark/webdevchecklist.com>) and send a pull request.

------
javajosh
Solid functionality that I'll personally use. Good work.

------
steerpike
I did something similar - a checklist for prelaunch which you might find some
useful things to add to your list: <https://bitbucket.org/steerpike/checklist>

------
bencevans
Nice work, I use this at the moment <http://lite.launchlist.net/> as it has
more checks and well a prettier interface.

------
soitgoes
I'd add: check your SSL certificate installation using a tool like this:
<http://certlogik.com/ssl-checker/>

~~~
lost-theory
Cool, I haven't seen that one before. I also like this one:
<https://www.ssllabs.com/ssltest/>

------
jacalata
I built a public trello board from this list: not quite sure if that's the
best presentation (should it be one card for each heading?), but ideally
people would clone it to work on their own sites, and make contributions of
new cards/info for existing cards on the main board.
<https://trello.com/b/hkC4B6HA>

------
Achshar
What do people here think of no-www? I personally hate www and see no reason
to unnecessarily increase my url length by 4 characters.

~~~
franze
sorry, saw this too late, please see my comment above
<https://news.ycombinator.com/item?id=5025293>

------
zupa-hu
WoW I am building an automated tool right now for exactly that. It is in
private beta. Anyone interested in test riding it drop me a line!

<http://site-analytics.org/> The intro is already outdated, I'll make a new
one very soon.

------
codegeek
Thx for sharing. For a newbie in web dev (like me), it is a great resource.
Bookmarked.

------
jacobwyke
I have a template project in Basecamp that contains a similar kind of list of
tasks that I use to launch all projects.

Just have to create a new project with the template for each launch and then
work your way down.

------
mskierkowski
Is it time for feature requests? It'd be great to get integration with common
management tools (e.g. Github Issues, Trello), so that the list can
automatically be imported for a given milestone.

------
marknutter
And people say web development isn't difficult.

------
tiedemann
Really good for showing customers/bosses/coworkers why a site need those extra
hours of love after the proof-of-concept stage.

------
johnpowell
Security > Cross-site scripting > XSS cheat sheet link is broken. Funny
considering the first item in the checklist.

------
furyofantares
This is cool, I expect a lot of people could get use out of this. The security
section is kind of amusing, though.

------
ahallock
The spellcheck item didn't have a link. Any good spellchecker bots out there?

------
drinchev
You might want to link your href-s to new tab/window.

~~~
crymer11
No. That's what the back button, middle-click, or (cmd/ctrl/whatever it's
mapped as) + click are for.

~~~
strager
I prefer links away from 'apps' like this site to open in a new window or tab.
I'd like the app to preserve its state, not replace itself.

------
r0s
No clean URLs?

How about setting up automated backups?

~~~
fragsworth
Clean URLs aren't really necessary and can be difficult with some frameworks.

Automated backups also aren't necessary for all sites, particularly if the
entire site is in a source repository somewhere and doesn't have users.

~~~
r0s
Clean URLs are just as useful and visible as the favicon, or custom error
pages, or many other "unnecessary" features.

You need to backup production sites. A repo could do that, but it's just
another backup system that needs to be implemented and verified.

------
Yaggo
Nice list. Missing: HiDPI images.

------
alexanderclose
Big time bookmark. Thanks!

~~~
xer0x
+1 thanks for this!

