README
Webapp Checklist
Technical details that a programmer of a web application should consider before making the site public.
The idea here is that most of us should already know most of what is on this list. But there just might be one or two items you haven't really looked into before, don't fully understand, or maybe never even heard of.
Interface and User Experience
- Be aware that browsers implement standards inconsistently and make sure your site works reasonably well across all major browsers. At a minimum test against a recent Gecko engine (Firefox), a WebKit engine (Safari and some mobile browsers), Chrome, your supported IE browsers (take advantage of the Application Compatibility VPC Images), and Opera. Also consider how browsers render your site in different operating systems.
- Consider how people might use the site other than from the major browsers: cell phones, screen readers and search engines, for example. — Some accessibility info: WAI and Section508, Mobile development: MobiForge.
- Staging: How to deploy updates without affecting your users. Have one or more test or staging environments available to implement changes to architecture, code or sweeping content and ensure that they can be deployed in a controlled way without breaking anything. Have an automated way of then deploying approved changes to the live site. This is most effectively implemented in conjunction with the use of a version control system (CVS, Subversion, etc.) and an automated build mechanism (Ant, NAnt, etc.).
- Don't display unfriendly errors directly to the user.
- Don't put users' email addresses in plain text as they will get spammed to death.
- Add the attribute
rel="nofollow"to user-generated links to avoid spam. - Build well-considered limits into your site - This also belongs under Security.
- Learn how to do progressive enhancement.
- Redirect after a POST if that POST was successful, to prevent a refresh from submitting again.
- Don't forget to take accessibility into account. It's always a good idea and in certain circumstances it's a legal requirement. WAI-ARIA and WCAG 2 are good resources in this area.
- Don't make me think
Security
- It's a lot to digest but the OWASP development guide covers Web Site security from top to bottom.
- Know about Injection especially SQL injection and how to prevent it.
- Never trust user input, nor anything else that comes in the request (which includes cookies and hidden form field values!).
- Hash passwords using salt and use different salts for your rows to prevent rainbow attacks. Use a slow hashing algorithm, such as bcrypt (time tested) or scrypt (even stronger, but newer) (1, 2), for storing passwords. (How To Safely Store A Password). The NIST also approves of PBKDF2 to hash passwords", and it's FIPS approved in .NET (more info here). Avoid using MD5 or SHA family directly.