Embed this checklist
Want to use this checklist on your blog or magazine? Use the following code to embed it:

Template: Web Application Checklist

This is a checklist which you can use to check web applications. Since web applications are naturally very diverse, the template is kept rather generic. You will probably want to add more items that fit your project.

The screenshots included are meant as a sample for how a extensively described item can look like. You can delete them and/or replace them with your own screenshots.

As always: We're happy about suggestions. Contact us!

Notice: Your checks will not be saved. Please log in or sign up to permanently manage this checklist.
Home page accessible?

Test if the home page loads as expected. It loads correctly if:

  • the expected content is loaded
  • no error messages are displayed
  • HTTP status code 200 is returned

Compare with the following screenshot to be sure:

Contact form

Check if contact form is reachable, insists on all required fields and delivers the messages.

Validate reachability

The contact form page should look like this:

Validate required fields

If no email address is entered, the form should not be transmitted. Try to submit the form without an email address and make sure that the result looks like this:

Validate confirmation message

Correctly enter all fields and submit the form. A confirmation message should appear:

Validate delivery

Make sure that the message you just submitted does indeed reach the recipient.

Log in

Verify that users can log in with correct credentials and cannot login without them.

1. Verify that login is not possible without the correct credentials

Enter a valid user name, but an invalid password. Login should be denied and an error message should display.

Important: For security reasons, the error message must not give any hint if the account which you just tried to log in for does actually exist.

Here's how the error should look like:

2. Verify that login with correct credentials is possible

Enter correct login credentials. No error message should appear and you should be redirected to the index page.

Log out

Verify that users can log out.

Make sure that they are really logged out after using the log out button. Try to access a protected ressource and see if it is not accessible anymore.

HTML valid?
Is the HTML code valid? Use a validator like the W3C Markup Validation Service to be sure.
CSS valid?
Is the CSS code valid? Use a validtor like the W3C CSS Validation Service to be sure.
Automated tests succeeded?
Have all automated tests (unit tests, Selenium, etc) been run? Did they run without showing any errors?

Does a robots.txt exist and does it have the desired rules? Use a tool like Google Webmaster Tools to verify that no URLs have been accidentally blocked.
Website accessible with and without 'www.'?
No matter if you decided to use your primary domain with or without a preceding 'www.', both versions will be expected to work by your users. Make sure that one redirects to the other.

JavaScript valid?
Is the JavaScript code valid? Use a validator like JSLint.
Print view
Make sure that the website does look all right when printed.

SSL certificate still valid and not in risk of expiring?

If your site uses SSL, make sure that the certificate is still valid and does not provoke a browser warning. Also check that the certificate is not about to expire.

1. Check current state

If the certificate is valid, the browser should display a secured connection similar to this:

Under no circumstances, users should see a warning like this one:

2. Check expiration time

Make sure that the certificate will not expire soon. Users will receive warnings as soon as it is expired, so you should update it well before that time.

Here's how to check when the certificate will expire in Firefox:

  1.  Click on the lock symbol in the address bar:
  2. Click on 'More Information...':
  3. Click on 'View Certificate':
  4. Check the date under 'Expires On':

If the expiration date is less than two months in the future, you should update the certificate.