Evaluating the Quality of a Web Application

What follows is the high-level version of a checklist that we run through before delivering projects to clients. It can be used as a basis for assessing the quality of a Website or Web application before accepting delivery or be incorporated into request for proposals (RFPs) and software contracts as acceptance criteria. Contact us if you need the low-level version of this checklist template.

Checklist for Frontend

  1. Is browser back button working everywhere?
  2. Is Website able to function, in some fashion, with JavaScript disabled?
  3. Is HTML markup valid according to W3C Markup Validation Service?
  4. Is CSS valid according to W3C CSS Validation Service?
  5. Are there broken links according to W3C Link Checker?
  6. Are there warnings or errors in browser console?
  7. Is JavaScript code free of errors and potential problems according to JSLint or JSHint?
  8. Are there unit tests for JavaScript code?
  9. Are there any accessibility problems according to Web Accessibility Evaluation Tool?
  10. Is Website relying on third-party components hosted somewhere else (fonts, JavaScript, etc.)?
  11. Are Website pages loading fast enough according to PageSpeed Insights?
  12. Is Website content free of spelling errors?
  13. Is Website tested in every supported browser and device?

Checklist for Backend

  1. Are all errors and warnings logged and notifications sent?
  2. Are there errors in Web server access logs (404, 500, etc.)?
  3. Are cross-site request forgery exploits prevented?
  4. Are cross-site scripting exploits prevented?
  5. Are SQL injection attacks prevented?
  6. Are there Website components (programming language, database, Web server, operating system, etc.) that reach their end-of-life in two years or less?
  7. Are there unit tests with reasonable code coverage?
  8. Are there provisions for database change management (migrations)?
  9. Are applicable PCI DSS requirements met?
  10. Can Website produce reports in CSV format?
  11. Does Website expose a RESTful API for other applications to integrate with it?
  12. Can a non-technical operator easily change any wording on the Website? In how many steps?

Checklist for Deployment

  1. Is Website availability and integrity remotely monitored?
  2. Can Website be put into an offline mode during maintenance?
  3. Is Website code maintained in a revision control system such as Git?
  4. Is a there a testing/staging server to test the Website before release? Is access to it password-protected?
  5. Is semantic versioning used for release process? https://semver.org/
  6. Is there a change log documenting releases? http://keepachangelog.com/en/1.0.0/
  7. Are hosting server, Web server, database, and Website all properly secured?
  8. Are applicable PCI DSS requirements met? https://www.pcisecuritystandards.org/
  9. Does Website allow non-secure (http://) access to pages that receive or display user's information?