Pre-Launch12 min readUpdated May 2025

Website Audit Before Launch: 35-Point Checklist (2025)

The complete pre-launch checklist for founders, developers, and freelancers. 35 checks across SEO, security, performance, and compliance — use it before every website launch or major update.

Automate 20+ of these checks with AuditAI →
35
Total checks
5
Categories
30 min
Average time
Free
Tool to automate
No signup
Required
2025
Updated
7 checks

SEO Basics

1
Title tags on every page
Every page must have a unique, descriptive title tag under 60 characters containing the primary keyword.
2
Meta descriptions on every page
Every page needs a compelling meta description between 140–160 characters. Don't leave it blank — Google will auto-generate one that may be misleading.
3
No noindex tags on public pages
During development, sites often have noindex set globally. Remove all <meta name='robots' content='noindex'> tags from pages you want indexed.
4
Canonical URLs set on every page
Add self-referencing canonical tags to every page. This prevents duplicate content issues from URL parameters and protocol variants.
5
XML sitemap generated and accessible
Verify sitemap.xml is accessible at yourdomain.com/sitemap.xml. It should list all indexable pages and exclude admin, thank-you, and duplicate pages.
6
Robots.txt not blocking important pages
Check robots.txt doesn't accidentally block your main content directories. A misconfigured robots.txt can prevent Google from indexing your entire site.
7
One H1 per page with target keyword
Every page needs exactly one H1 tag containing the primary keyword or phrase you want that page to rank for.
7 checks

Security Essentials

1
HTTPS enforced on all pages
Every page must load over HTTPS. HTTP pages trigger browser 'Not Secure' warnings and fail GDPR/DPDP requirements.
2
Security headers configured
Add Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers. AuditAI checks all of these automatically.
3
No exposed sensitive files
Verify /.env, /.git/config, and /phpinfo.php all return 404 from your production domain. Check before every launch.
4
SSL certificate is valid
Verify the SSL certificate is from a trusted CA, covers all subdomains, and doesn't expire within 60 days of launch.
5
Admin areas restricted
Ensure /admin, /wp-admin, or equivalent paths are protected by authentication and ideally IP-restricted or rate-limited.
6
Default CMS credentials changed
If using WordPress, Drupal, or similar — change all default admin usernames (admin, administrator) and use strong passwords.
7
Database not publicly accessible
Your database connection string and database ports should never be exposed to the public internet. Verify firewall rules on your hosting provider.
7 checks

Performance

1
Page loads in under 3 seconds
Test on a real mobile device or using Chrome's mobile throttling simulation. Most users on mobile are on 4G at best.
2
Images compressed and in modern formats
All images should be in WebP or AVIF format. Compress with tools like Squoosh or use a CDN with automatic image optimisation.
3
Images have explicit width and height
Add width and height attributes to all img tags to prevent Cumulative Layout Shift (CLS) — a Core Web Vitals ranking factor.
4
No render-blocking resources in head
CSS and JS loaded synchronously in <head> delay the First Contentful Paint. Defer non-critical scripts and load critical CSS inline.
5
Cache headers set on static assets
CSS, JS, and image files should have Cache-Control headers with long max-age values (at least 1 year for hashed filenames).
6
Core Web Vitals pass threshold
Run AuditAI's Core Web Vitals check. LCP must be under 2.5s, INP under 200ms, and CLS under 0.1 before launch.
7
CDN configured for static assets
Use a CDN (Cloudflare, Fastly, AWS CloudFront) to serve assets from edge locations close to your users — especially important for global audiences.
7 checks

Compliance & Legal

1
Privacy policy published and linked
Required by GDPR, CCPA, and DPDP. Link your privacy policy from the footer of every page. It must describe what data you collect and why.
2
Terms of service published
If your site sells products, takes sign-ups, or involves any transaction or service, a Terms of Service page is legally important.
3
Cookie consent banner implemented
If you use any cookies (analytics, ads, tracking pixels), you must obtain consent before setting them. Required under GDPR and DPDP.
4
GDPR compliance for EU users
If you have EU users: cookies consent, right to erasure mechanism, lawful basis for any data processing, and data breach notification plan.
5
DPDP compliance for Indian users
If you have Indian users: consent before data collection, privacy notice, data access and deletion mechanism, HTTPS enforcement.
6
Analytics only after consent
Google Analytics and similar tools should only fire after the user has accepted cookies. Don't load GA by default on page load.
7
GDPR-compliant contact form
Contact forms must not be pre-checked for marketing. Include a checkbox with explicit consent text if you plan to send marketing emails.
7 checks

Final Launch Checks

1
All links tested (no 404s)
Click every navigation link, button, and CTA on your site. Check for broken links, wrong URLs from staging, and missing pages.
2
Forms tested end-to-end
Submit every form on your site (contact, sign-up, checkout) and verify you receive the expected response and notification emails.
3
Google Search Console set up
Add and verify your production domain in Google Search Console. Submit your sitemap. This is essential for monitoring indexing issues post-launch.
4
Google Analytics (or Plausible) installed
Verify your analytics tracking is firing on all pages in your production environment — not just staging.
5
Open Graph images render correctly
Test your social sharing with the LinkedIn Post Inspector, Facebook Sharing Debugger, or AuditAI's Social Preview tool to verify og:image renders correctly.
6
Mobile layout tested on real devices
Check on at least two real mobile devices (different screen sizes). Browser DevTools mobile simulation doesn't catch all layout issues.
7
Run AuditAI's full pre-launch scan
Run a final AuditAI scan on your production URL to get an automated check across all SEO, security, performance, and compliance signals before announcing launch.

Automate 20+ of these checks before launch

AuditAI automatically runs the SEO, security, performance, and compliance checks from this list in under 30 seconds — free, no account required.

Run Pre-Launch Audit Free →

Frequently Asked Questions

How long does a pre-launch website audit take?+
With AuditAI, the automated portion (SEO, security, performance, and compliance checks) takes under 30 seconds. The manual checks on this list — verifying content quality, testing forms, checking analytics setup, and reviewing legal pages — typically take 30–60 minutes for a typical marketing site. Allow 2–3 hours for a complex e-commerce site.
What is the single most important check before launching a website?+
Remove the noindex meta tag. During development, sites are often set to noindex to prevent Google from crawling a staging environment. It's one of the most common pre-launch oversights — and the result is a live site that Google won't rank. Check every page's source code for <meta name='robots' content='noindex'> and remove it.
Should I submit my sitemap to Google before or after launch?+
After launch. Submit your sitemap.xml to Google Search Console within the first 24–48 hours of going live. This signals to Google that the site is ready to be crawled and indexed. Make sure GSC is set up with your production domain (not the staging subdomain) before submitting.

Related guides

SEO Checklist →Security Checklist →Core Web Vitals →DPDP Checker →