What things should a programmer implementing the technical details of a web application consider before making the site public? If Jeff Atwood can forget about HttpOnly cookies, sitemaps, and cross-site request forgeries all in the same site, what important thing could I be forgetting as well?
I'm thinking about this from a web developer's perspective, such that someone else is creating the actual design and content for the site. So while usability and content may be more important than the platform, you the programmer have little say in that. What you do need to worry about is that your implementation of the platform is stable, performs well, is secure, and meets any other business goals (like not cost too much, take too long to build, and rank as well with Google as the content supports).
Think of this from the perspective of a developer who's done some work for intranet-type applications in a fairly trusted environment, and is about to have his first shot and putting out a potentially popular site for the entire big bad world wide web.
Also, I'm looking for something more specific than just a vague "web standards" response. I mean, HTML, JavaScript, and CSS over HTTP are pretty much a given, especially when I've already specified that you're a professional web developer. So going beyond that, Which standards? In what circumstances, and why? Provide a link to the standard's specification.
Best Answer
The idea here is that most of us should already know most of what is on this list. But there just might be one or two items you haven't really looked into before, don't fully understand, or maybe never even heard of.
Interface and User Experience
rel="nofollow"
to user-generated links to avoid spam.Security
rel="noopener noreferrer"
on all user-provided links withtarget="_blank"
to prevent JavaScript on the destination page from redirecting your page to somewhere else, such as a fake login page. More InfoPerformance
deflate is better).Use CSS Image Sprites for small related images like toolbars (see the "minimize HTTP requests" point)favicon.ico
file in the root of the site, i.e./favicon.ico
. Browsers will automatically request it, even if the icon isn’t mentioned in the HTML at all. If you don’t have a/favicon.ico
, this will result in a lot of 404s, draining your server’s bandwidth.SEO (Search Engine Optimization)
example.com/pages/45-article-title
instead ofexample.com/index.php?page=45
#
for dynamic content change the#
to#!
and then on the server$_REQUEST["_escaped_fragment_"]
is what googlebot uses instead of#!
. In other words,./#!page=1
becomes./?_escaped_fragments_=page=1
. Also, for users that may be using FF.b4 or Chromium,history.pushState({"foo":"bar"}, "About", "./?page=1");
Is a great command. So even though the address bar has changed the page does not reload. This allows you to use?
instead of#!
to keep dynamic content and also tell the server when you email the link that we are after this page, and the AJAX does not need to make another extra request./sitemap.xml
.<link rel="canonical" ... />
when you have multiple URLs that point to the same content, this issue can also be addressed from Google Webmaster Tools.301 Moved Permanently
) asking forwww.example.com
toexample.com
(or the other way round) to prevent splitting the google ranking between both sites.Technology
Bug fixing
Other
Lots of stuff omitted not necessarily because they're not useful answers, but because they're either too detailed, out of scope, or go a bit too far for someone looking to get an overview of the things they should know. Please feel free to edit this as well, I probably missed some stuff or made some mistakes.