Evaluating the Quality of a Web Application

What follows is the high-level version of a checklist that we run through before delivering projects to clients. It can be used as a basis for assessing the quality of a Website or Web application before accepting delivery or be incorporated into request for proposals (RFPs) and software contracts as acceptance criteria. Contact us if you need the low-level version of this checklist template.

Checklist for Frontend

  1. Is browser back button working everywhere?
  2. Is Website able to function, in some fashion, with JavaScript disabled?
  3. Is HTML markup valid according to W3C Markup Validation Service?
  4. Is CSS valid according to W3C CSS Validation Service?
  5. Are there broken links according to W3C Link Checker?
  6. Are there warnings or errors in browser console?
  7. Is JavaScript code free of errors and potential problems according to JSLint or JSHint?
  8. Are there unit tests for JavaScript code?
  9. Are there any accessibility problems according to Web Accessibility Evaluation Tool?
  10. Is Website relying on third-party components hosted somewhere else (fonts, JavaScript, etc.)?
  11. Are Website pages loading fast enough according to PageSpeed Insights?
  12. Is Website content free of spelling errors?
  13. Is Website tested in every supported browser and device?

Checklist for Backend

  1. Are all errors and warnings logged and notifications sent?
  2. Are there any errors in Web server access logs (404, 500, etc.)?
  3. Are there any errors in application logs (e.g. PHP errors, warnings, or notices)?
  4. Are there any database queries that take too long to execute, as captured in slow query log?
  5. Are there any errors in database tables, as reported by mysqlcheck?
  6. Are cross-site request forgery exploits prevented?
  7. Are cross-site scripting exploits prevented?
  8. Are SQL injection attacks prevented?
  9. Are there unit tests with reasonable code coverage?
  10. Are there provisions for database change management (migrations)?
  11. Are applicable PCI DSS requirements met?
  12. Can Website produce reports in CSV format?
  13. Does Website expose a RESTful API for other applications to integrate with it?
  14. Can a non-technical operator easily change any wording on the Website? In how many steps?

Checklist for Deployment

  1. Are there Website components (programming language, database, Web server, operating system, etc.) that reach their end-of-life in two years or less?
  2. Is Website availability and integrity remotely monitored?
  3. Can Website be put into an offline mode during maintenance?
  4. Is Website code maintained in a revision control system such as Git?
  5. Are Website's deployment-specific configuration information (paths, hostnames, error levels, log files, etc.) centralized in a singular location/file?
  6. Can Website code be deployed from revision control system to production using a single command?
  7. Can code that is deployed to production rolled back to an earlier state using a single commnand?
  8. Is a there a qa/testing/staging server to test the Website before release? Is access to it password-protected? Is it configured to display all errors?
  9. Is semantic versioning used for release process?
  10. Is there a change log documenting releases?
  11. Are hosting server, Web server, database, and Website all properly secured?
  12. Are applicable PCI DSS requirements met?
  13. Does Website allow non-secure (http://) access to pages that receive or display user's information?