E-commerce Site Quality Assurance Checklist

Load the staging URL on desktop Chrome and an iPhone Safari profile. Confirm hero, announcement bar, and any geolocation / currency switcher render before paint. Theme updates that pass on desktop but reflow on mobile are the most common regression.

Click every entry in the mega-menu, footer, and announcement bar. Watch for stale collection handles after a re-platform or seasonal collection swap, and 301s that should be direct links.

Spot-check three PDPs across categories. Confirm variant swatches, inventory message, Yotpo / Judge.me / Okendo review widget, and any size-guide modal. Sold-out variants should disable add-to-cart, not throw a 500.

Crawl staging with Screaming Frog (or Ahrefs Site Audit). Filter response codes for 4xx and 5xx; flag redirect chains over two hops. Pay attention to blog-post links pointing at retired collection handles.

Search a known SKU, a misspelling, and a synonym. Confirm Searchanise / Algolia / Boost returns relevant hits and respects out-of-stock sort. Apply at least two filter facets and confirm the URL stays shareable.

Use a Bogus Gateway or a real card on a draft-discounted product. Capture screenshots of cart, checkout, thank-you page, and the order in admin. Confirm tax calculates, shipping rate displays, and the order tags route to the correct fulfillment location.

Express checkouts skip the standard form, so a missing required attribute (phone, address line 2) silently fails for accelerated buyers. Walk a Shop Pay and Apple Pay path on Safari iOS — that combination accounts for a large share of mobile conversion.

Test a stackable code, a customer-tag-gated code (VIP), and a gift card with partial balance. Confirm Shopify Functions or any discount app does not double-apply on Shop Pay one-page checkout — a common regression after Checkout Extensibility migrations.

Add to cart with a seeded test profile, abandon, and watch the Klaviyo flow queue. Verify the trigger filter excludes profiles who completed checkout — race conditions where a buyer gets a 'you forgot something' email after ordering are a common annoyance.

Confirm the Shopify order confirmation, the Postscript / Attentive shipping SMS, and any Recharge subscription confirmation render with correct logo, line items, and unsubscribe link. SPF / DKIM / DMARC alignment should pass on the inbound headers.

Test mobile field data for LCP, INP, and CLS against Google's CWV thresholds (LCP ≤ 2.5s, INP ≤ 200ms, CLS ≤ 0.1). Lab data alone hides real-world tail latency — use the CrUX field section if available.

Largest image above the fold should be WebP/AVIF and ≤ 200 KB. Confirm loading="lazy" below the fold and fetchpriority="high" on the hero. Hero images that ship at 4MB are the most common LCP killer on Shopify themes.

For non-Plus stores, k6 or Loader.io against the storefront and a draft-order checkout. Plus stores can request a Launchpad event. Run at 3–5x your projected BFCM peak; surface any app webhook timeouts before they blow up on Cyber Monday.

Open Coverage tab in Chrome DevTools; flag any single app injecting more than 100KB of JS or blocking render. Uninstalled apps frequently leave script tags behind — search the theme for orphan {% include %} and asset references.

Open one ticket per failing metric in Linear / Jira with the offending template, the field-data score, and a target. CWV failures touch SEO ranking and ad quality score, so this is not optional after a regression.

Run SSL Labs against the apex and www domains; aim for an A grade. Confirm HSTS is set with a meaningful max-age. Custom domains added to Shopify or BigCommerce sometimes fail to issue a cert until DNS propagates — verify before any DNS swap.

Authenticate ZAP into a test customer account and run the baseline + active scan. Headless Shopify and custom Hydrogen storefronts are the highest-risk surfaces. Triage results into critical/high/medium per OWASP severity.

Block the deploy until critical findings are patched. Common offenders: outdated jQuery in a custom theme section, unsanitized search query reflected in a results page, missing CSRF on a custom form endpoint. Re-run the ZAP scan after each fix.

With OneTrust / Cookiebot / Shopify's own consent API, load the site in a fresh incognito window and watch the network tab. Meta Pixel, GA4, and TikTok Pixel must not fire before consent in EU/UK/CA regions. Use the GPC signal in Chrome DevTools to test CCPA/CPRA opt-out.

Confirm the privacy policy lists current sub-processors (Klaviyo, Shopify, Stripe, any review platform). The CCPA/CPRA 'Do Not Sell or Share My Personal Information' link should be reachable from the footer on every page, not buried in a policy.

Walk a forgotten-password flow end-to-end. Confirm the reset link expires, single-use, and that a Shopify customer-accounts (new) login or a classic account flow works depending on which is enabled. Brute-force lockout should kick in within a small number of attempts.

BrowserStack or LambdaTest covers the matrix; current and previous major version is the realistic floor. Safari is the highest-yield catch — Webkit consistently lags on CSS features Chrome has shipped.

Real devices beat emulators here. Walk PDP → cart → checkout on an iPhone (current iOS) and a mid-tier Android. Confirm Apple Pay sheet renders on Safari and Google Pay on Chrome — both fail silently on misconfigured domain verification.

iPad portrait (768px) and landscape (1024px) often fall into a no-man's-land between mobile and desktop CSS. Confirm the cart drawer, mega-menu, and PDP gallery all behave at 768–1024px.

DevTools network throttling at 'Slow 3G' or Fast 3G surfaces fragile timeouts. International buyers and rural US still load on weak connections; checkout should remain interactive even when JS is slow to download.

Summarize each section's pass/fail, attach screenshots and the Screaming Frog and ZAP outputs, and call out any deferred issues with linked tickets. The CX team uses this report to prepare for support volume after the release.

Director of E-commerce or COO signs after reviewing the QA report. For checkout-touching changes also loop in the CX manager so support macros and Gorgias views are ready for any post-release tickets.

Match.com analytics in GA4 / Triple Whale to find the lowest-traffic hour for your audience — typically 2–5am store time. Avoid Friday afternoons. Freeze theme deploys outside Cyber 5 entirely; only critical hotfixes during BFCM week.

Place a real $0.01 order on production, verify Klaviyo events fire, and watch GA4 realtime for the next 30 minutes. If conversion rate or add-to-cart drops materially against rolling baseline, roll back the theme to the previous version.