checklists

Website Testing Checklist.

Web Testing A comprehensive pre-launch and regression checklist covering navigation, forms, responsive layout, cross-browser compatibility, accessibility, performance, SEO, and error handling for public-facing websites.

sections

items

2–3 hours

time

QA engineersAutomation engineersDevelopersSDETs

When to use this checklist

Before a new feature or page ships to production
As part of a release regression pass
After a significant redesign or CMS platform migration
When onboarding a new QA engineer who needs a structured starting point
For a post-deployment smoke check on a live environment

This checklist walks through every layer of a public website: navigation and linking, form submission flows, responsive layout across breakpoints, cross-browser rendering, WCAG accessibility basics, Core Web Vitals and performance fundamentals, SEO metadata, error state handling, and analytics event firing. It's structured so you can run it sequentially on any page or subset of pages, and most items are automatable with Cypress or Playwright.

0/46

Navigation & Internal Linking

0/7

Verify the site structure is traversable and that every link resolves to the correct destination.

All primary nav links resolve to the correct pageCriticalfunctionalauto
Click every item in the top navigation bar and confirm the URL and page heading match the expected destination. Include any dropdown sub-items.
Active nav item is visually highlighted on the current pageMediumusabilityauto
The nav link corresponding to the current page should carry its active/selected visual style. Check at least 3 different pages.
Mobile menu opens and closes correctly and all links are reachableHighfunctionalauto
At 375px viewport width, confirm the hamburger icon is visible, tapping it reveals all nav items, and tapping a link both navigates and closes the menu.
Breadcrumbs reflect the correct hierarchy and each crumb is a working linkMediumfunctionalauto
On pages with breadcrumbs, confirm each ancestor segment links to the correct parent URL. The last segment (current page) should not be a link.
No internal links return 404 or 5xxCriticalnegativeauto
Crawl all internal hrefs on the page and assert every request returns a 2xx or 3xx status code. Include footer and sidebar links.
External links open in a new tab with rel="noopener noreferrer"Highsecurityauto
Any anchor pointing to a different origin should have target='_blank' and the rel attribute should include both 'noopener' and 'noreferrer' to prevent tab-napping.
A skip-to-main-content link is present and functional for keyboard usersHighaccessibility
Tab to the very first focusable element on the page. A 'Skip to main content' link should appear and, when activated, move focus to the main landmark.

Forms & User Input

0/8

Validate that forms accept valid data correctly, reject invalid data gracefully, and provide clear feedback at every step.

Submitting a form with all valid data completes successfully and shows a confirmationCriticalfunctionalauto
Fill all required fields with valid data, submit, and assert the success state (confirmation message, redirect, or new page). Verify the submitted data actually persists or triggers the expected downstream action.
Submitting with empty required fields shows an inline error per fieldCriticalnegativeauto
Leave all required fields blank and submit. Each required field should display a visible error message adjacent to it, not only a generic banner. The form should not submit.
Email field rejects malformed addresses and accepts edge-case valid onesHighedge-caseauto
Test: 'plainaddress', 'missing@domain', 'valid@sub.domain.com', 'user+tag@example.org'. The first two should fail; the last two should pass. Confirm error messages are specific ('Enter a valid email address').
Input fields do not reflect unsanitised script tags in the pageCriticalsecurityauto
Enter '<script>alert(1)</script>' into text fields and submit. The string should be escaped and displayed as literal text, not executed. Check both success and error states.
Submitting the form twice does not create duplicate recordsHighedge-caseauto
Submit a form, then immediately click submit again (or hit Enter twice rapidly). Confirm the server-side action fires only once. The submit button should be disabled after the first click.
Browser autofill populates fields correctly without breaking validationMediumusability
Trigger browser autofill on a multi-field form (name, email, address) and verify all fields populate, field-level validation does not fire prematurely, and submission succeeds.
Every form field has an associated <label> element or aria-labelHighaccessibilityauto
Inspect the DOM for each input/select/textarea: it must be linked to a <label via 'for'/'id' pairing, or carry aria-label / aria-labelledby. Placeholder text alone does not count as a label.
Long inputs are truncated or rejected with a clear messageMediumedge-caseauto
Paste 10,000 characters into each text field. The UI should either enforce maxlength (field stops accepting input) or the server rejects with a user-friendly error — not a 500 or silent data corruption.

Responsive Layout & Breakpoints

0/5

Confirm the layout renders correctly and content is readable across mobile, tablet, and desktop viewports.

Content is fully readable and no horizontal scroll at 375px widthCriticalfunctionalauto
Set viewport to 375×812 (iPhone SE / most narrow baseline). No element should overflow causing horizontal scroll. Text should not overflow its container. Tap targets should be at least 44×44px.
Layout transitions gracefully at the 768px tablet breakpointHighfunctionalauto
Resize from 767px to 769px. Multi-column grids should shift to the expected column count. Nav, hero, and card layouts should reflow without overlapping elements or invisible text.
Images scale proportionally and do not overflow their containers at any breakpointHighfunctionalauto
Check hero images, card thumbnails, and inline images at 375px, 768px, and 1440px. Images should not exceed their container width or distort (check aspect-ratio CSS).
Interactive elements (buttons, links) meet minimum 44×44px tap target size on mobileHighaccessibility
On a 375px viewport, inspect the computed bounding box of buttons and links. Each should be at least 44×44px to avoid mis-taps. Pay special attention to icon-only buttons.
Page is usable when browser text size is increased to 200%Mediumaccessibility
In browser settings, increase font size to 200%. Text should reflow rather than overflow fixed containers. No text should become invisible or overlap interactive controls.

Cross-Browser Compatibility

0/4

Verify the site renders and functions correctly in the browsers your users actually use.

All critical flows pass in the latest stable ChromeCriticalcompatibilityauto
Run the full happy-path: load, navigate, fill a form, submit. Assert no console errors related to your own JS (third-party noise is acceptable).
All critical flows pass in the latest stable FirefoxHighcompatibilityauto
Same happy-path as Chrome. Firefox renders fonts, flexbox gaps, and CSS grid gutters slightly differently — pay attention to spacing and typography.
All critical flows pass in Safari (or Playwright WebKit)Highcompatibilityauto
Safari/WebKit has distinct handling of date inputs, CSS :focus-visible, and input type='file'. Test these specifically if the site uses them.
Core content is accessible when JavaScript is disabledMediumfunctional
Disable JS in browser settings and load the page. Navigation links, body text, and images should render. If the site is fully client-rendered, a meaningful fallback or 'requires JavaScript' notice should appear.

Accessibility Basics

0/6

Catch the most impactful accessibility failures using automated scanning and targeted manual checks.

Axe-core (or equivalent) reports zero critical and serious violations on every pageCriticalaccessibilityauto
Run axe-core in your Cypress/Playwright suite on each unique page template. Critical violations (e.g. missing alt text, invalid ARIA roles) must be zero before release.
All interactive elements are reachable and operable via keyboard aloneCriticalaccessibility
Tab through the entire page without touching the mouse. Every button, link, input, and modal must receive visible focus and be activatable with Enter/Space. No focus traps outside of open modals.
Text meets WCAG AA contrast ratio (4.5:1 for normal text, 3:1 for large text)Highaccessibilityauto
Use Lighthouse or the axe browser extension to check contrast on body text, placeholder text, and disabled states. Pay particular attention to light-grey text on white backgrounds.
All informational images have descriptive alt text; decorative images have alt=""Highaccessibilityauto
Inspect every <img> tag. Content images must have alt text that describes the content or function. Purely decorative images must carry alt='' so screen readers skip them.
Focus indicator is visible on all interactive elements (not hidden by outline: none)Highaccessibility
Tab through all interactive elements and verify a visible focus ring or equivalent. Custom focus styles are fine; invisible focus is not. Test in Chrome and Firefox as they render default outlines differently.
Heading levels are hierarchical (h1 → h2 → h3) with exactly one h1 per pageMediumaccessibilityauto
Use the axe extension or browser DevTools to inspect heading structure. Skipping from h2 to h4, or having two h1 elements on one page, disrupts screen reader navigation.

Performance Basics

0/4

Verify the page loads fast enough to retain users and meet Core Web Vitals thresholds.

Largest Contentful Paint (LCP) is under 2.5 seconds on a simulated mobile connectionHighperformanceauto
Run Lighthouse with a 4G throttled profile. LCP > 4s is a red flag. Typical culprits: unoptimised hero images, render-blocking CSS, or a slow API call blocking the critical path.
Cumulative Layout Shift (CLS) score is below 0.1Highperformanceauto
Load the page and scroll without interacting. Elements should not jump as fonts load, images without explicit dimensions render, or ads inject. Run Lighthouse or use the CLS overlay in Chrome DevTools.
Images are served in a modern format (WebP/AVIF) with explicit width and height attributesMediumperformance
Open the Network tab and filter by Img. No image should be served as a large uncompressed JPEG or PNG where a WebP/AVIF equivalent exists. All <img> tags should carry explicit width and height to prevent CLS.
No synchronous scripts in <head> block first contentful paintMediumperformanceauto
Inspect the page source and Lighthouse 'Eliminate render-blocking resources' audit. Third-party scripts (analytics, chat widgets) should load with defer or async.

SEO & Metadata

0/5

Ensure search engines can discover, understand, and index each page correctly.

Every page has a unique <title> tag between 50–60 charactersHighfunctionalauto
Load each page and check document.title in the console. Titles should be unique across pages, descriptive, and under 60 characters to avoid truncation in SERPs.
Every page has a unique meta description between 120–160 charactersHighfunctionalauto
Check <meta name='description'> on each page. Missing or duplicate descriptions result in Google generating its own, often less accurate, snippet.
Canonical URL tag is present and points to the preferred version of the pageHighfunctionalauto
Check <link rel='canonical'>. It should point to the https, non-www (or www, whichever is preferred) version of the current URL. Verify it's not self-referential with the wrong protocol.
Open Graph tags are present for social sharing (og:title, og:image, og:description)Mediumfunctionalauto
Validate via the Meta Sharing Debugger or by reading the <head>. og:image should be at least 1200×630px. og:title and og:description may differ from the <title> and meta description.
robots.txt does not block pages that should be indexedCriticalnegativeauto
Fetch /robots.txt and check that production pages are not accidentally disallowed. A common mistake after a site migration is deploying the staging robots.txt (Disallow: /) to production.

Error Handling & Edge States

0/4

Verify that error conditions surface user-friendly messages rather than raw stack traces or blank screens.

Navigating to a non-existent URL serves a custom 404 page with navigation optionsHighnegativeauto
Visit /this-page-does-not-exist-xyz. The server should return HTTP 404 (not 200 with a soft 404 body). The page should offer links back to the homepage and main sections.
Server errors show a custom 500 page, not a raw stack traceHighnegative
If you can trigger a server error in a test environment, verify the response is a human-friendly error page. Stack traces, SQL errors, and framework error dumps must never appear in production.
The page degrades gracefully when an API call fails mid-renderHighnegativeauto
Use Cypress cy.intercept() or Playwright page.route() to return a 500 for a key API call. The page should display an error state or fallback content — not a blank div or a JavaScript exception in the console.
Expired session redirects to login with the originally requested URL preservedHighedge-caseauto
Log in, expire the session (clear the cookie), then navigate to a protected route. Expect a redirect to /login?returnTo=<original-path> — not a generic login page that drops the user's intended destination.

Analytics & Tracking

0/3

Confirm that analytics events fire correctly so data-driven decisions are based on accurate data.

A pageview event fires on every page load with the correct page URLHighfunctionalauto
Use the Google Tag Manager preview pane or browser Network tab (filter by 'collect' or your analytics endpoint). Each navigation should fire exactly one pageview with the current URL — not the previous page's URL or undefined.
Primary CTA button click events fire with the correct event name and propertiesMediumfunctionalauto
Click the main call-to-action on each key page and verify the analytics event in the Network tab or Tag Manager debug view. Check event name, category, and any custom dimensions (e.g. button_text, page_section).
No personally identifiable information (PII) is sent in analytics payloadsCriticalsecurity
Inspect analytics network requests during form interactions. Email addresses, phone numbers, and full names should not appear in event payloads, URL parameters, or custom dimensions.

Common Bugs

Soft 404s returning HTTP 200

The 'Page Not Found' page is served with a 200 status code instead of 404. Search engines index it as a real page, polluting the site map and confusing crawlers. Always check the actual response status, not just the rendered content.

Production robots.txt inherited from staging (Disallow: /)

A deployment pipeline copies the staging robots.txt — which blocks all crawlers — to production. The site becomes invisible to search engines within days. Always assert robots.txt content in a post-deploy smoke test.

Mobile nav links unreachable because the hamburger z-index is lower than a sticky header

On mobile the expanded nav menu opens behind a sticky header or cookie banner, making links impossible to tap. Manifests in browsers with smaller viewport heights (e.g. iPhone SE).

Form resubmission on browser back/refresh creates duplicate records

After a successful POST, the page URL is still the form endpoint. Refreshing re-submits the same form data, creating duplicate orders, sign-ups, or support tickets. Fix: redirect to a confirmation URL (PRG pattern) after successful submission.

CLS spike caused by images without explicit dimensions

Images without width/height attributes cause layout shifts as they load, pushing content down. This tanks the CLS score and is particularly bad on slow mobile connections. Easily reproducible by throttling to Slow 4G in Chrome DevTools.

External links missing rel="noopener" enable tab-napping

Links with target='_blank' but no rel='noopener' allow the opened page to access the opener via window.opener and redirect it to a phishing page. Caught by automated security linters but frequently missed in manually-authored content.

Recommended Tools

Playwright

Cross-browser automation across Chromium, Firefox, and WebKit in a single suite. Built-in accessibility helpers and network interception.

Cypress

Excellent developer experience for Chrome-based E2E and component testing. cy.intercept() makes error-state testing straightforward.

Lighthouse

Google's built-in auditor for performance (LCP, CLS, FID), SEO metadata, and accessibility. Run it in CI with the Node CLI.

axe-core

The industry-standard accessibility rules engine. Integrates with Cypress (@axe-core/cypress) and Playwright (axe-playwright) to catch WCAG violations in CI.

Pa11y

CLI accessibility scanner that runs axe and HTML_CodeSniffer rules. Useful for scanning a sitemap of URLs in CI without writing per-page test code.