Evaluating the Quality of a Web Application
What follows is the high-level version of a checklist that we run through before delivering projects to clients. It can be used as a basis for assessing the quality of a Website or Web application before accepting delivery or be incorporated into request for proposals (RFPs) and software contracts as acceptance criteria. Contact us if you need the low-level version of this checklist template.
Checklist for Frontend
- Is browser back button working everywhere?
- Is HTML markup valid according to W3C Markup Validation Service?
- Is CSS valid according to W3C CSS Validation Service?
- Are there broken links according to W3C Link Checker?
- Are there warnings or errors in browser console?
- Are there any accessibility problems according to Web Accessibility Evaluation Tool?
- Are Website pages loading fast enough according to PageSpeed Insights?
- Is Website content free of spelling errors?
- Is Website tested in every supported browser and device?
Checklist for Backend
- Are all errors and warnings logged and notifications sent?
- Are there errors in Web server access logs (404, 500, etc.)?
- Are cross-site request forgery exploits prevented?
- Are cross-site scripting exploits prevented?
- Are SQL injection attacks prevented?
- Are there Website components (programming language, database, Web server, operating system, etc.) that reach their end-of-life in two years or less?
- Are there unit tests with reasonable code coverage?
- Are there provisions for database change management (migrations)?
- Are applicable PCI DSS requirements met?
- Can Website produce reports in CSV format?
- Does Website expose a RESTful API for other applications to integrate with it?
- Can a non-technical operator easily change any wording on the Website? In how many steps?
Checklist for Deployment
- Is Website availability and integrity remotely monitored?
- Can Website be put into an offline mode during maintenance?
- Is Website code maintained in a revision control system such as Git?
- Is a there a testing/staging server to test the Website before release? Is access to it password-protected?
- Is semantic versioning used for release process? https://semver.org/
- Is there a change log documenting releases? http://keepachangelog.com/en/1.0.0/
- Are hosting server, Web server, database, and Website all properly secured?
- Are applicable PCI DSS requirements met? https://www.pcisecuritystandards.org/
- Does Website allow non-secure (http://) access to pages that receive or display user's information?