> 9. Has a robots.txt<p>> You may have a lot of things you do not want the world to know about. (Eg user uploaded media). Use robots.txt to hide them from search engines.<p>That's not what a robots.txt file is for. It doesn't hide files, if anything it makes files that you don't want the world to know about easier to find.
I feel like this is a checklist that makes you feel like you're accomplishing something (checking off items on the list) while never actually launching your website.<p>In a way, it gives you a bunch of excuses to put off your public launch - "I just need to fix some CSS bugs in Firefox 2" or "I just need to test the backup restore process one more time to make sure it works". Most of us aren't building bank software here, and if you're building anything consumer based (think Facebook), the advantage of having a site up and getting feedback on it over having all these things checked off is astronomical.
Hmm, 13 drawn out items and none of them include a SQLi XSS or CSRF audit? Odds are there are plenty. Once your db and CEO's sexting logs end up on pastebin you'll probably be thinking that the robots.txt was pretty minor.
<a href="https://docs.google.com/a/agiliq.com/spreadsheet/ccc?key=0Aqqb8SO5JnsvdFJFS3NTMXVzMkE4MGpkU0FQak9sZVE#gid=0" rel="nofollow">https://docs.google.com/a/agiliq.com/spreadsheet/ccc?key=0Aq...</a><p>I few folks have emailed me with some great apps to do these things. I am tracking these here, and will publish these.
Similar but more detailed & technical version:
<a href="http://programmers.stackexchange.com/questions/46716/what-should-a-developer-know-before-building-a-public-web-site" rel="nofollow">http://programmers.stackexchange.com/questions/46716/what-sh...</a><p>My abridged version of it:
<a href="https://docs.google.com/document/d/1jJGUFN6CxQUXQX49mRsJYv1HfF5tSUDgLH4MTt2t7ac/edit?hl=en_US" rel="nofollow">https://docs.google.com/document/d/1jJGUFN6CxQUXQX49mRsJYv1H...</a>
I know the text says "... or equivalent software," but is there any great advantage between using Google Analytics or a hosted component on your own server?
I feel it's impolite to subject your users to be tracked by Google and other huge companies just because they visited your website.
Is there at least any tracking service that respects Mozilla's DNT[1]?<p>[1]: <a href="http://dnt.mozilla.org/" rel="nofollow">http://dnt.mozilla.org/</a>
pingdom store passwords in plaintext: <a href="http://news.ycombinator.com/item?id=2865206" rel="nofollow">http://news.ycombinator.com/item?id=2865206</a>
Sending an email on an error might be a bad idea. We had this set up on a server that powers an API (along with our main site). During a network problem in the data center where the server could not get to the mysql, we had about 10,000 requests on the sever = 10,000 emails = the outlook guys having to reboot the exchange server because of some odd interaction with their spam filtering appliance.
Wow, top of hackernews, never expected this. :)<p>Here is the spreadsheet I was using to think this post.<p><a href="https://spreadsheets.google.com/spreadsheet/ccc?key=0Aqqb8SO5JnsvdHRrN3ZsTjBUMDRWV0gtOHVkY2d4cVE&hl=en_US" rel="nofollow">https://spreadsheets.google.com/spreadsheet/ccc?key=0Aqqb8SO...</a><p>If you have something, add this here, I will do a follow up post, with additions or update this post.