I notice that there is something which I should do in my Sitecore projects. That’s why I want to write it down as a common checklist for Sitecore development so that I can share it with everyone. Please give me a hand by dropping a comment if there is something wrong or missing. If this one is helpful, please broadcast it 😀 .
Security
- Ensure your custom admin page to inherit Sitecore.sitecore.admin.AdminPage then call the CheckSecurity method, learn more about it
- Ensure you include an Assert.CanRunApplication(“/path-to-application”) check in your custom application to enforce security, learn more about it
- Disable Edit and Preview Modes on CD servers, learn more about it
- Note: you may need to set <setting name=”Preview.ResolveSite” value=”false” /> for using cross site links
- Set up a friendly static page for 404 and 401 HTTP status codes, learn more about it
- Set up a friendly static page for 500 HTTP status code, learn more about it
- Prevent unauthorized access to the Sitecore client interfaces, learn more about it
- Secure response headers
- Prevent XSS vulnerability
Caching
- enable output caching on Sitecore’s renderings if possible
- Note: when caching is enabled please setup the processor to clear the cache on publish in the configuration files for each website
User Experience
- Use Editor friendly names in Sitecore, learn more about it
- Add the custom icons and some missing icons of Sitecore such as ApplicationsV2, BusinessV2, FlagsV2, NetworkV2, PeopleV2, SoftwareV2 to “Change Icon” dialog, learn more about it
SEO
- For SEO best practice, we should uniform the URLs for public pages:
- All URLs (excluding Querystring) should be in lowercase
- All URLs should have an ending slash
- resources with extensions doesn’t require end slash e.g .css, .js
- All URLs should default to HTTPS
- when a URL is accessed on HTTP, it’s auto redirect to HTTPS
- All URLs should redirect to www when not specified
- Note: you can download an example of RewriteRules.config
- All URLs (excluding Querystring) should be in lowercase
- in case /sitemap.xml is called directly (without language params) then serves X links (X = number of supported language). This way Google can follow the sitemap.xml links and discover the alternative languages
- Making noindex for Staging/UAT servers so that content is NOT crawled
Experience Editor
- Sitecore’s JS overwrites the global jQuery variable so that it causes JS issues if our jQuery loads in the heading, learn more about it
- // some code
- In debug mode, we should abort tracing and profiling for Web APIs if any, otherwise Sitecore adds its own HTML content to every single response (for displaying Sitecore Profile and Sitecore Trace info) so that it will break the content structure if response content type is json
Server roles configuration
Sitecore utilities / tools
Play with Sitecore utilities / tools, learn more about it
Happy Sitecore Community!
Walking on clouds 
Nice checklist
I have worked with the exact rewrite rules in a solution. And it was the root to a lot time wasting with possible bug tracking and strange behaviors.
When you upgrade Sitecore or install a module like WFFM. Then sometimes you need to add some more stuff to the negate attribute. The never-ending story.
I think it is more appropriate to tweak the linkManager, even make a custom one with the ending slash since the linkManager don’t support that yet.
If that is not enough, then you could implement canonical url meta data, to ensure you don’t get duplicate content and search engines knows exactly
LikeLiked by 1 person
Thanks for dropping your comment. I suppose that I’ve got the same experience on Rewrite Rules with you 😀 (especially with the strange behaviors).
Totally agree with you about custom LinkManager and canonical URLs, they’re good options.
LikeLike