The 85-point launch sweep
So you let AI build your site for you? Don’t forget about these.
Every site we ship gets this sweep. It is the list of things that slip past you when you are focused on making the site work, and the list most site builders never run at all.
1. Meta and Sharing
- Favicon present in all sizes, including Apple touch icon
- Open Graph tags set on every key page (title, description, og:image)
- Twitter card tags set
- Link sent in a real text message renders a proper preview
- Link pasted in Slack or Messenger renders a proper preview
- Facebook Sharing Debugger re-scraped if the OG image changed
- Every page has a unique title tag
- Meta descriptions written intentionally, not auto-truncated
2. Contact and Identity
- Email address correct in footer
- Email address correct on contact page (verify both, they drift)
- Contact form delivers to the right inbox
- Form notification email does not land in spam
- Phone number is a clickable tel: link on mobile
- Copyright year is current or auto-generated
- Business name and address consistent on every page
3. Auth Flows
- Forgot password works end to end: request, email arrives, link works, new password works
- Signup confirmation email arrives and the link works
- Logged-in user hitting the login page gets redirected sensibly
- Session expiry behaves correctly
- Test accounts removed or locked before launch
4. The Forgotten Pages
- Custom 404 page exists with navigation back to the site
- Privacy policy link goes to a real page
- Terms of service link goes to a real page
- No lorem ipsum, placeholder names, or template phone numbers anywhere (search the codebase, not just the pages you remember)
5. Technical Hygiene
- www and non-www resolve to one canonical version
- http redirects to https
- robots.txt is not still blocking everything from staging
- Console shows no errors on every page, not just the homepage
- Forms tested with browser autofill
- Lighthouse run, large unoptimized images fixed
- Mobile responsive verified on real devices, not just DevTools
- Site tested on someone else's phone and network, not your cached browser
6. Analytics and Tracking
- GA4 property created and tag firing (verified in real-time view)
- Google Search Console verified and sitemap submitted
- Bing Webmaster Tools verified (ChatGPT search pulls from Bing)
- Conversion events defined, not just pageviews
7. Classic SEO
- One H1 per page with a logical heading hierarchy
- Canonical tags set
- Image alt text written
- Internal links between related pages
- Google Business Profile claimed and matching the site info
- Sitemap current and segmented if the site is large
8. AI Visibility (GEO)
AI assistants are the new front page. If ChatGPT, Claude, and Perplexity cannot read your site, you do not exist in those conversations.
- robots.txt allows GPTBot, ClaudeBot, PerplexityBot, and Google-Extended
- Cloudflare AI bot blocking checked and intentionally configured (Cloudflare blocks AI bots by default)
- Key content is server-side rendered, visible in the initial HTML without JavaScript
- No content locked behind logins, cookie walls, or interactive elements
- FAQ schema on service pages
- llms.txt at the domain root linking to your most important content
- Each key page leads with a direct answer before the context
- Spot check: ask three AI assistants the questions your customers would ask and note whether you appear
9. Form Spam Prevention
- Cloudflare Turnstile or reCAPTCHA installed on every public form
- Honeypot field added as a backup
- Rate limiting on the form endpoint
- Server-side validation, not just front-end
- CAPTCHA verified to not block real users on mobile or privacy browsers
- Email address not sitting in page source as scrapeable plain text
- SPF, DKIM, and DMARC records set for the sending domain
10. Security Sweep
Database and RLS (Supabase)
- RLS enabled on every table, no exceptions
- Policies tested as different users: user A attempts to read user B's rows and fails
- Service role key never ships to the client
- Storage bucket policies set, not just table policies
- Security definer functions reviewed (they bypass RLS)
- Supabase Security Advisor run with every warning addressed
- Realtime subscriptions verified to respect RLS
Secrets and Keys
- No API keys in client-side code or the built bundle
- .env in .gitignore and git history checked for previously committed secrets
- Any key that ever leaked has been rotated
- Separate keys for dev and prod
Endpoints and Access
- Every API route checks auth server-side
- Admin routes verify the admin role, not just hide the button
- IDs in URLs cannot be incremented to reach other users' data
- CORS locked to your domain
- Webhooks verify signatures
Headers and Transport
- HTTPS forced, no mixed content
- Security headers set: CSP, X-Frame-Options, HSTS (check securityheaders.com)
- Cookies flagged httpOnly, secure, and sameSite
Housekeeping
- Debug mode and verbose errors off in prod
- Seed data removed or locked down
- Dependency audit run, criticals fixed
- Default credentials changed on anything self-hosted
11. Post-Launch
- Analytics confirmed firing on the live domain
- SSL cert auto-renewal confirmed, not just working today
- DNS TTLs restored to normal after cutover
- Uptime monitoring pointed at the new site
- OG previews re-checked on the live domain (caches persist)
Built by TechBeat Solutions. Ship it clean.