Site launch checklist

Launching a new website may seem as straightforward as pressing a deploy button or copying some files to a server, and in many cases the act of launching itself is just that. But, many steps will have taken place before the glossy deploy button is pressed.

I pride myself on delivering a premium service, and many of the points below may not be followed by free web builders or other developers and agencies.

Using a new, bespoke website being launched on a new server as an example, here's a typical checklist of the pre-launch process.

Server checklist

  • Buy a domain name
  • Buy some web hosting space
  • Buy an SSL[1] certificate
  • Configure and test the SSL certificate to ensure it's working. I use Qualys SSL Labs to ensure an A grade installation
  • Configure the hosting environment and ensure that product versions are not public (ServerTokens Prod for Apache, expose_php = off for PHP. Also make sure there's no X-Powered-By header)
  • Configure email server and inboxes if required

Software checklist

  • There must be a favicon in the site root regardless of where the location is in your HTML; some browsers and spiders still request it from the root by default
  • Ensure a homescreen icon is linked for the (probably rare) occurrences when a user saves your website to their mobile homescreen
  • Print stylesheet. Old fashioned, but still used
  • Check all page titles and descriptions
  • Open Graph (og) meta should be available
  • Run a link checker to test for broken links
  • Test the 404 (Page not found) page
  • Minify CSS and JavaScript files
  • Optimise your PNG images, I use TinyPNG
  • Optimise SVGs. I use SVGOMG
  • Add the iFrame denial header into your code (in PHP it's X-Frame-Options: deny)
  • Disable scripting error messages, add security, and redirect duplicate URLs via your .htaccess file[2]
  • Test the site renders correctly in IE11, Edge, Chrome, Firefox, and on Android and iPhone
  • Check site for legal compliance[3]
  • Validate every page with the W3C validator
  • Test page accessibility. I use Wave
  • Attain an AA score from GTmetrix


[1] Although still called an SSL certificate, servers now use TLS instead. The current recommendation is that all pages on all websites should be secure. You can generate SSL certificates for free, but I would recommend purchasing one if you're handling sensitive data.

[2] Here's some handy stuff to help secure and optimise your server

php_flag session.cookie_httponly on
php_flag register_globals off
php_flag magic_quotes_gpc off
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
php_flag display_startup_errors off
php_flag display_errors off
php_flag html_errors off
php_value docref_root 0
php_value docref_ext 0

# prevent loading in external iframe
Header always append X-Frame-Options SAMEORIGIN

# Set XSS Protection header
Header set X-XSS-Protection "1; mode=block"

Header set Connection keep-alive
FileETag none
AddDefaultCharset utf-8
Options +FollowSymLinks -Indexes

<FilesMatch "\.(php|css|js|html|svg)$">
Header append Vary: Accept-Encoding

SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

ExpiresActive On
ExpiresDefault "access plus 1 month"
ExpiresByType	application/xml	"access plus 1 hour"
ExpiresByType	text/xml	"access plus 1 hour"

RewriteEngine On
RewriteBase /

# force secure
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# block scripts (common hacking attempts)
RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
RewriteCond %{HTTP_USER_AGENT} python-requests [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
RewriteRule ^(.*)$ - [F,L]

# get rid of duplicate www version
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

# force trailing slash
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ /$1/ [R=301,L]

# remove multiple slashes
RewriteCond %{THE_REQUEST} //
RewriteRule ^(.*)$ $0 [R=301,L,NE]


  • The Companies Act 2006 requires you to put your registered company address, place of registration, and number onto your website, invoices, letters, and emails.
  • The Data Protection Act 1998 requires you to make your data as secure as you can. Plaintext passwords would definitely be frowned upon if something happened to your data, for example.
  • The Privacy and Electronics Communications Regulations 2003 (PECR), often referred to as the cookie law, requires you to have a separate page that talks about which cookies you use. Although many sites use large banners and modals, a link in your footer is usually adequate. These regulations also require that your users give informed consent to your marketing.
  • The Equality Act 2010 requires you not to discriminate against users of your website with regards to their ability. This law is largely ignored either through ignorance or incompetence, but can and has lead to court cases and settlements.
  • The Consumer Contracts Regulations 2013, which replaced the distance selling regulations, define how you must describe and sell your products online.
  • The ASA advertising codes apply to the internet as well as other media. False or misinformed advertisements can attract rulings and penalties.