CONTENT_SECURITY_POLICY MARCH 15, 2023

How to Set Up Content Security Policy Headers to Prevent XSS Attacks

12 min read 2,335 words
Content Security Policy Headers: The HTTP Header That Prevents Most XSS Attacks featured image

Website Launch Checklist: Everything to Verify Before Going Live

Launching a website without a proper checklist often leads to small problems becoming post-launch emergencies. Forms that do not send notifications, images that fail to load on mobile devices, pages that Google cannot index, or mixed content warnings on what should be a secure site. These issues are avoidable with a structured verification process before the site goes live.

This guide walks through the key checks to complete before any website launch. Whether you are launching a first business website or deploying an updated version of an existing site, these steps help catch problems while you can still fix them easily.

Verify HTTPS Is Working Correctly on Every Page

Your site should load securely using HTTPS across all pages, not just the homepage. Browsers flag mixed content warnings when a secure page loads resources like images, scripts, or stylesheets over HTTP instead of HTTPS. These warnings reduce visitor trust and can affect search rankings.

To check mixed content issues, open your site in a browser and look for the padlock icon in the address bar. If you see a warning or unlocked icon on any page, inspect the page source and look for resources loading over http://. Common culprits include hardcoded image paths, third-party scripts, and embedded fonts.

Once you have fixed any mixed content issues, verify that your SSL certificate is valid and not expired. Most hosting providers handle certificate renewal automatically through Let's Encrypt, but it is worth confirming this is configured on your account.

Test All Forms and Enquiry Notifications

Forms are often the first thing to break after a launch, and you may not notice until a potential customer walks away. Test every form on your site end to end, including contact forms, quote request forms, newsletter signups, and login forms where applicable.

Submit a test entry through each form and confirm that you receive the notification email. Check that the email arrives in your inbox, lands in a spam or junk folder, or appears in whatever back-end system handles submissions. Also verify that the sender address displays correctly and that the email content includes the submitted information.

If your forms use a third-party service for email delivery, check that the service is correctly configured and that sending limits will not cause problems if you receive multiple submissions quickly.

Form Validation and Error Handling

While testing form submissions, also check that validation messages appear correctly when users enter invalid data. The form should prevent empty required fields, reject invalid email formats, and show clear error messages without revealing sensitive server information.

Confirm Google Analytics or Tracking Is Recording Data

Your website launch is the moment your analytics timeline begins. If tracking is not working correctly from day one, you lose baseline data about where your visitors come from and how they behave on your site.

Install Google Analytics or your preferred analytics tool and verify it is receiving data by checking the real-time dashboard. Visit a page on your site and confirm that your own visit appears in the real-time report. Also check that page views, referral sources, and any custom events you have configured are being recorded.

If you use Google Search Console, verify that your site is registered and that you can see crawl data. This confirms Google can access your pages and helps you spot indexing issues early.

Setting Up the Correct View Filters

Before your site receives significant traffic, set up filters in your analytics account to exclude internal visits from your own IP address. Without these filters, your own testing and development work inflates your visitor numbers and distorts engagement metrics.

Check That Google Can Index Your Pages

If your site was previously in development with password protection or a noindex directive, make sure you remove these restrictions before launch. A noindex meta tag in your page header tells search engines to skip your pages entirely, which means your site will not appear in search results.

Use Google Search Console to request indexing for your homepage and key pages. Check that your XML sitemap is accessible at yoursite.com/sitemap.xml and that it includes all the pages you want indexed. Submit the sitemap to Google Search Console to trigger the crawling process.

Run a site search in Google by typing site:yoursite.com to see which pages Google has indexed. Compare this list against the pages you expect to appear in search results.

Test the Mobile Experience Thoroughly

More than half of web traffic now comes from mobile devices, and Google uses mobile-first indexing to determine rankings. Your site must work correctly on smartphones and tablets, not just on desktop browsers.

Open your website on an actual mobile device rather than relying solely on browser developer tools. Check that navigation menus work with touch, that buttons are large enough to tap easily, and that text is readable without zooming. Pay particular attention to any forms, image galleries, or interactive elements that may behave differently on mobile.

Verify that images resize correctly and do not cause horizontal scrolling. Test your site on different screen sizes and across different mobile browsers where possible. Page speed on mobile devices is also important, as slow-loading pages lose visitors quickly.

Verify All Images Load Correctly

Missing or broken images are one of the most common post-launch problems. Images may fail to load because of incorrect file paths, permission issues on the server, or image URLs that were not updated after a migration or redesign.

Browse through every page of your site and confirm that all images appear as expected. Check for any broken image icons or alt text that appears instead of the image itself. Also verify that images are appropriately sized and compressed, as large unoptimised images slow page loading significantly.

If your site uses a CDN or content delivery network, confirm that images are being served correctly through the CDN and that there are no caching issues preventing new images from appearing. A CDN can improve performance and reduce load on your origin server, particularly for image-heavy sites.

Image Alt Text and Accessibility

While checking images, verify that meaningful alt text is present on all images that convey information. Decorative images can use empty alt attributes, but any image that communicates something to the user should have descriptive alt text. This helps with accessibility and also provides context for search engines.

Check Core Web Vitals and Page Speed

Core Web Vitals are metrics that Google uses to evaluate user experience, including loading performance, interactivity, and visual stability. Pages that load slowly, respond slowly to user input, or shift layout unexpectedly can hurt both your search rankings and your visitor retention.

Use Google PageSpeed Insights or a similar tool to check your Core Web Vitals scores. These tools provide specific recommendations for improvement, such as optimising images, eliminating render-blocking resources, or reducing server response times.

Address the most impactful issues first. Large unoptimised images are often the biggest contributor to slow page speeds on new sites. Implementing lazy loading for images below the fold, minifying CSS and JavaScript files, and enabling browser caching are practical steps that typically yield noticeable improvements.

Review Basic SEO Elements

Before launch, confirm that each page has a unique and descriptive title tag and meta description. These elements appear in search engine results and influence whether people click through to your site. Title tags should be concise, include relevant keywords, and accurately describe the page content.

Check that your heading structure is logical. The main heading on each page should be an h1 element, with subheadings using h2 and h3 tags in a hierarchical structure. Search engines use this structure to understand the organisation of your content.

Verify that your page URLs are clean and readable. Dynamic URLs with long strings of parameters are harder for both users and search engines to understand. A URL like yoursite.com/services/website-maintenance is clearer than yoursite.com/?page_id=47&category=5.

Canonical Tags and Duplicate Content

If your site is accessible with and without the www prefix, or through both HTTP and HTTPS, search engines may treat these as separate pages with duplicate content. Set a preferred domain in Google Search Console and implement canonical tags to indicate the preferred version of each page.

Test Across Different Browsers

Your site may render differently in Chrome, Firefox, Safari, Edge, and other browsers. Before launch, test your site in the browsers your target audience is most likely to use. This is particularly important for sites with complex layouts, custom JavaScript functionality, or CSS features that may not be supported everywhere.

Pay attention to form elements, dropdown menus, and any interactive components. CSS that looks correct in one browser may break in another. Flexbox and grid layouts generally have good cross-browser support now, but older browsers may still cause issues depending on your audience.

Set Up Monitoring and Uptime Checks

Once your site is live, you need to know quickly if it goes down. Set up uptime monitoring to alert you when your site becomes unreachable. Many monitoring services offer free tiers that check your site every few minutes from multiple locations.

Configure alerts to notify you by email or SMS when downtime is detected. This allows you to respond quickly rather than discovering a problem hours later through a frustrated visitor or customer report.

It is also worth setting up error monitoring that captures PHP errors, JavaScript errors, and server-side issues. These tools help you identify problems before visitors report them.

Planning for Regular Backups

Establish a backup routine before launch if one does not already exist. Regular backups allow you to restore your site quickly if something goes wrong during future updates or if a security incident occurs. Most hosting providers offer automated backups, but it is worth verifying that they are configured and that you know how to restore from a backup if needed.

Security Considerations Before Going Live

A new website is immediately visible to automated scanners that look for known vulnerabilities. Taking basic security steps before launch reduces the risk of compromise.

Change default admin usernames and passwords. Many content management systems and server applications create default administrator accounts with well-known credentials. Ensure all admin accounts use strong, unique passwords and that two-factor authentication is enabled where available.

Keep your software up to date. Whether you use a content management system, a custom application, or server-level software, running outdated versions introduces known vulnerabilities that attackers actively scan for. Enable automatic updates where practical, and establish a routine for reviewing and applying updates regularly.

If you are launching a WordPress site, a thorough security audit before going live can identify common vulnerabilities in themes, plugins, and configurations. For sites built with custom PHP code, reviewing session handling, input validation, and database queries helps reduce the risk of common attacks.

When You Need Help With the Launch Checklist

If any of these checks feel unfamiliar or if you would prefer a second pair of eyes on your setup, a technical review before launch can catch issues that are easy to miss when you have been working on a project for a long time.

An IT specialist can verify your hosting configuration, test forms and notifications, review security settings, and confirm that Google services are correctly connected. This is particularly useful if you are launching a business website where post-launch problems can affect customer experience and search visibility.

If you want a practical review of your setup, you can get in touch with details of your website URL, hosting environment, and any specific concerns you want to cover.

Related practical reading

These related guides can help you connect this topic with the wider website, server, security, and support decisions around it.

Frequently Asked Questions

How long does a website launch checklist take to complete?
The time required depends on the complexity of your site. A simple static website with a few pages might take an hour or two to verify thoroughly. A larger site with multiple forms, e-commerce functionality, and custom integrations could take several hours or be spread across a day. It is better to take the time needed than to rush through and miss something important.
Do I need to test forms on a staging site or the live site?
You should test forms on a staging or development environment first to avoid sending test submissions to real customer email addresses. Once you have verified forms work correctly in the test environment, do a final check on the live site before launch. This confirms that form handlers, notification settings, and integrations are working in the production environment.
What should I do if Google is not indexing my pages after launch?
First, check that there is no noindex directive in your page source and that your hosting is not blocking crawlers. Verify your site is accessible without password protection. Then submit your XML sitemap through Google Search Console and request indexing for your key pages. Indexing can take a few days, but if Google reports errors or your pages still do not appear after a week or two, there may be a technical issue worth investigating.
Is it worth paying for a security audit before launching?
For business websites, a security audit before launch is a practical investment. Identifying and fixing vulnerabilities early is far less disruptive than dealing with a compromised site after launch. Even basic checks such as reviewing plugin configurations, hardening server settings, and verifying that access controls are properly configured can reduce risk significantly.
How often should I update a website after it goes live?
Software updates, including content management system core updates, plugin updates, and server-level patches, should be applied as they become available. Beyond that, reviewing your site performance and security settings every few months helps keep things running smoothly. If your site uses third-party services or integrations, check that those connections remain functional after any updates.
Content Security Policy CSP configuration CSP header HTTP security headers website security XSS prevention

Related Articles

Google Earth flight simulator

What Google's Earth Flight Simulator Means for Small Business SEO

Jul 7, 2026 Backup Strategy

Website Backup Strategy for WordPress and Custom PHP Sites

Jun 15, 2026 ai tools

How Google Keep with Gemini Can Support Your Small Business SEO

Jun 15, 2026
Cookie choices

Your privacy choices matter.

We use an essential cookie to remember your preferences. Optional analytics and diagnostics help us understand visits, identify issues, and improve the site, but they stay off unless you allow them.

Read the privacy notice