How would you test a registration / sign-up form?

Clarify first

• Which fields are required vs optional?
• Is email verification mandatory before the account is active?
• How are duplicate emails handled — error at submission or silent merge?
• What are the password strength rules (length, complexity, prohibited patterns)?

Functional

• All required fields filled with valid data → account created, confirmation email sent
• Optional fields work correctly and are stored
• Post-registration redirect lands on the right page (dashboard or "check your email")
• Email verification link activates the account and expires after the configured period

Negative / error handling

• Duplicate email → clear error message without revealing whether the email exists in a different context (avoid enumeration)
• Password below strength threshold → field-level validation message
• Password confirmation mismatch → error on the confirmation field
• Missing required fields → inline error on each missing field, form not submitted
• XSS in name fields (<script>alert(1)</script>) → stored and rendered as plain text, not executed
• SQL injection in email field → handled safely, no DB error surfaced

Edge & boundary

• Maximum field lengths for every input; one character over max
• Special characters and Unicode in the name field (accented chars, emoji)
• Already-logged-in user navigating to the registration page (redirect or allow?)
• Double-click or rapid re-submission (duplicate account prevention)
• Email with unusual but valid format (user+tag@sub.domain.com)

Security

• Password never stored in plain text (verify via DB query that value is hashed)
• CAPTCHA or bot-protection on public-facing form
• No account enumeration via error messages ("email already registered" leaks existence)

Accessibility

• All fields have visible labels; placeholder text is not a substitute
• Error messages announced by screen reader; tab order logical

Close: automate happy path, all field validations, XSS, and duplicate-email handling. Keep manual/exploratory for email delivery timing, verification link expiry UX, and bot-protection behavior.