Use this checklist 2 weeks before production launch. Ship nothing without checking all three categories. Happy path demo ≠ production ready.
Functionality & UX (15 items)
- [ ] All happy paths tested with real user workflows (not demo data)
- [ ] Edge cases tested: empty states, boundary values, invalid inputs
- [ ] Error messages are human-readable, not error codes
- [ ] Loading states show progress (spinner, percentage, ETA)
- [ ] Timeout handling: what happens if the API doesn't respond in 30 sec?
- [ ] Undo/rollback: can users reverse actions? Are they reversible?
- [ ] Mobile responsive tested at 375px, 768px, 1280px
- [ ] Keyboard navigation works (Tab, Enter, Escape)
- [ ] No console errors in DevTools
- [ ] Performance: page interactive < 2.5 sec, interactions < 100ms
- [ ] Forms autosave progress so data isn't lost on network failure
- [ ] Confirmation dialogs for destructive actions (delete, publish)
- [ ] All external links work and open in new tab (_blank)
- [ ] Copy/paste works (text selection, clipboard permission)
- [ ] Date/time inputs work across browsers (no custom date pickers with bugs)
Performance, Security & Scale (16 items)
- [ ] Load tested with realistic data volume (10x expected day-1 volume)
- [ ] Database queries optimized (no N+1 queries, indexes added)
- [ ] API rate limiting implemented (prevent DDoS, accidental abuse)
- [ ] API responses are efficient (gzip, JSON not XML, pagination for large datasets)
- [ ] Sensitive data encrypted (passwords, tokens, PII in transit and at rest)
- [ ] No API secrets in code or client-side (use server-side env vars only)
- [ ] CORS headers locked down (only allow expected origins)
- [ ] SQL injection / XSS prevention audited (use parameterized queries, sanitize inputs)
- [ ] Authentication is required (no public endpoints that should be private)
- [ ] Authorization is correct (user A can't see user B's data)
- [ ] Logging captures: errors, suspicious activity, API latency
- [ ] Monitoring in place: alerts for 5xx errors, slow queries, high memory
- [ ] Rollback plan documented (what if this deploy breaks?)
- [ ] Database backups tested (can you restore from them?)
- [ ] Third-party dependencies checked for known vulnerabilities (npm audit)
- [ ] Privacy policy updated (what data do you collect? How long do you keep it?)
Accessibility & Trust (16 items)
- [ ] Color contrast ≥ 4.5:1 (WCAG AA minimum)
- [ ] All form inputs have associated labels (not just placeholders)
- [ ] Focus indicators visible (not outline: none without replacement)
- [ ] Screen reader tested: page structure logical, images have alt text
- [ ] No autoplay videos or sounds (user controls media)
- [ ] Reduced motion supported (animations disabled if prefers-reduced-motion)
- [ ] Font size adjustable (users can zoom, minimum 16px on mobile to prevent auto-zoom)
- [ ] No text as images (always use actual text + alt text for diagrams)
- [ ] AI confidence scores explained (not just "92%" but "92% — likely correct")
- [ ] Failure states designed: what happens when the AI is wrong or uncertain?
- [ ] Override mechanism clear (how do users say "AI, you're wrong"?)
- [ ] Data provenance shown (where did these inputs come from?)
- [ ] Bias awareness: does the AI make different decisions for different demographics?
- [ ] Edge cases designed: what if the user's data doesn't match the training data?
- [ ] Legal review done (especially if financial, medical, or decision-making product)
- [ ] Beta tester feedback incorporated (did anyone report confusion?)
If you can't check an item, you're not ready to ship. Unchecked items are debt. You'll pay for it in support tickets, churn, and regret.
Launch Ritual
One week before launch: run through this checklist with a fresh pair of eyes (not the builder). Have them use the product as a user would. Every item unchecked = one day delay. No exceptions.