What should a developer know before building a public web site?

The idea here is that most of us should already know most of what is on this list. But there just might be one or two items you haven't really looked into before, don't fully understand, or maybe never even heard of.

Interface and User Experience

• Be aware that browsers implement standards inconsistently and make sure your site works reasonably well across all major browsers. At a minimum test against a recent Gecko engine (Firefox), a Webkit engine (Safari, Chrome, and some mobile browsers), your supported IE browsers (take advantage of the Application Compatibility VPC Images), and Opera. Also consider howbrowsers render your site in different operating systems.
• Consider how people might use the site other than from the major browsers: cell phones, screen readers and search engines, for example. — Some accessibility info: WAI and Section508, Mobile development: MobiForge
• Staging: How to deploy updates without affecting your users. Ed Lucas's answer has some comments on this.
• Don't display unfriendly errors directly to the user
• Don't put users' email addresses in plain text as they will get spammed to death
• Build well-considered limits into your site - This also belongs under Security.
• Learn how to do progressive enhancement
• Always redirect after a POST.
• Don't forget to take accessibility into account. It's always a good idea and in certain circumstances it's a legal requirement. WAI-ARIA is a good resource in this area.

Security

• It's a lot to digest but the OWASP development guide covers Web Site security from top to bottom
• Know about SQL injection and how to prevent it
• Never trust user input (cookies are user input too!)
• Encrypt Hash and salt passwords rather than storing them plain-text.
• Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until after you're hacked.
• Know the rules for processing credit cards. (See this question as well)
• Use SSL/HTTPS for login and any pages where sensitive data is entered (like credit card info)
• How to resist session hijacking
• Avoid cross site scripting (XSS)
• Avoid cross site request forgeries (XSRF)
• Keep your system(s) up to date with the latest patches
• Make sure your database connection information is secured.
• Keep yourself informed about the latest attack techniques and vulnerabilities affecting your platform.
• Read The Google Browser Security Handbook
• Read The Web Application Hackers Handbook

Performance

• Implement caching if necessary, understand and use HTTP caching properly as well as HTML5 Manifest
• Optimize images - don't use a 20 KB image for a repeating background
• Learn how to gzip/deflate content (deflate is better)
• Combine/concatenate multiple stylesheets or multiple script files to reduce number of browser connections and improve gzip ability to compress duplications between files
• Take a look at the Yahoo Exceptional Performance site, lots of great guidelines including improving front-end performance and their YSlow tool. Google page speed is another tool for performance profiling. Both require Firebug installed.
• Use CSS Image Sprites for small related images like toolbars (see the "minimize http requests" point)
• Busy web sites should consider splitting components across domains. Specifically...
• Static content (ie, images, CSS, JavaScript, and generally content that doesn't need access to cookies) should go in a separate domain that does not use cookies, because all cookies for a domain and it's subdomains are sent with every request to the domain and its subdomains. One good option here is to use a Content Delivery Network (CDN).
• Minimize the total number of HTTP requests required for a browser to render the page.
• Utilize Google Closure Compiler for JavaScript and other minification tools
• Make sure there’s a favicon.ico file in the root of the site, i.e. /favicon.ico. Browsers will automatically request it, even if the icon isn’t mentioned in the HTML at all. If you don’t have a/favicon.ico, this will result in a lot of 404s, draining your server’s bandwidth.

SEO (Search Engine Optimization)

• Use "search engine friendly" URL's, i.e. use example.com/pages/45-article-title instead ofexample.com/index.php?page=45
• Don't use links that say "click here". You're wasting an SEO opportunity and it makes things harder for people with screen readers.
• Have an XML sitemap, preferably in the default location /sitemap.xml.
• Use <link rel="canonical" ... /> when you have multiple URLs that point to the same content
• Use Google Webmaster Tools and Yahoo Site Explorer
• Install Google Analytics right at the start (or an open source analysis tool like Piwik)
• Know how robots.txt and search engine spiders work
• Redirect requests (using 301 Moved Permanently) asking for www.example.com to example.com(or the other way round) to prevent splitting the google ranking between both sites
• Know that there can be bad behaving spiders out there
• If you have non-text content look into Google's sitemap extensions for video, etc. There is some good information about this in Tim Farley's answer.

Technology

• Understand HTTP and things like GET, POST, sessions, cookies, and what it means to be "stateless".
• Write your XHTML/HTML and CSS according to the W3C specifications and make sure theyvalidate. The goal here is to avoid browser quirks modes and as a bonus make it much easier to work with non-standard browsers like screen readers and mobile devices.
• Understand how JavaScript is processed in the browser.
• Understand how JavaScript, style sheets, and other resources used by your page are loaded and consider their impact on perceived performance. It may be appropriate in some cases to move scripts to the bottom of your pages.
• Understand how the JavaScript sandbox works, especially if you intend to use iframes.
• Be aware that JavaScript can and will be disabled, and that Ajax is therefore an extension not a baseline. Even if most normal users leave it on now, remember that NoScript is becoming more popular, mobile devices may not work as expected, and Google won't run most of your JavaScript when indexing the site.
• Learn the difference between 301 and 302 redirects (this is also an SEO issue).
• Learn as much as you possibly can about your deployment platform
• Consider using a Reset Style Sheet
• Consider JavaScript frameworks (such as jQuery, MooTools, or Prototype), which will hide a lot of the browser differences when using JavaScript for DOM manipulation

Bug fixing

• Understand you'll spend 20% of the time coding and 80% of it maintaining, so code accordingly
• Set up a good error reporting solution
• Have some system for people to contact you with suggestions and criticism.
• Document how the application works for future support staff and people performing maintenance
• Make frequent backups! (And make sure those backups are functional) Ed Lucas's answer has some advice. Have a Restore strategy, not just a Backup strategy.
• Use a version control system to store your files, such as Subversion or Git
• Don't forget to do your Unit Testing. Frameworks like Selenium can help.

Lots of stuff omitted not necessarily because they're not useful answers, but because they're either too detailed, out of scope, or go a bit too far for someone looking to get an overview of the things they should know. If you're one of those people you can read the rest of the answers to get more detailed information about the things mentioned in this list. If I get the time I'll add links to the various answers that contain the things mentioned in this list if the answers go into detail about these things. Please feel free to edit this as well, I probably missed some stuff or made some mistakes.

0riginal: http://stackoverflow.com/questions/72394