Website Launch Checklist

Run Screaming Frog or Sitebulb against the staging URL with auth credentials. Filter for 4xx and 5xx responses, redirect chains over 2 hops, and any links still pointing at staging or dev domains. Export the list and assign fixes to the developer.

Use BrowserStack or real devices — emulators miss Apple Pay sheet behavior and iOS keyboard issues. Run a full add-to-cart through order-confirmation flow on each. Mobile Safari accounts for the largest share of DTC traffic; a broken CSS rule there tanks conversion overnight.

Log each defect with browser, OS, device, repro steps, and screenshots. Tag P0 anything that blocks add-to-cart or checkout; tag P1 visual regressions above the fold. Hold launch until P0s are resolved.

Run SSL Labs against the production domain and the www / apex variants. Confirm A or A+ rating, no mixed-content warnings, and that HTTP redirects 301 to HTTPS site-wide. Mixed-content warnings on checkout suppress the Buy button on Safari.

Test mobile Lighthouse scores on the homepage, top product detail page, and checkout. Target LCP under 2.5s, INP under 200ms, CLS under 0.1. Hero image weight and third-party scripts (chat widgets, review widgets) are the usual culprits.

Spot-check 100% of SKUs for the top category and a sample of the long tail. Confirm hero images are under 200KB, alt text is populated, prices match the PIM / ERP, and inventory is synced. Missing alt text is the most common accessibility lawsuit trigger for DTC brands.

Verify canonicals on PDPs point to themselves, not to a /collection/ variant. Submit sitemap.xml in Google Search Console and Bing Webmaster Tools. Check robots.txt does NOT block production — the most common launch-day disaster is shipping a staging robots.txt that disallows everything.

Wire view_item, add_to_cart, begin_checkout, and purchase events. Validate with GA4 DebugView and Meta Pixel Helper. Confirm Conversions API server-side fires alongside the browser pixel — iOS 14.5+ ATT means browser-only pixel undercounts conversions by 30-50%.

Trigger a real signup and a real cart abandonment from a clean test profile. Confirm the welcome series sends, the abandoned-cart sequence fires at the configured delay, and the abandonment email checks current cart state before sending. Race conditions where the email sends after the order completed are a common annoyance.

Use a real card (refund afterward) — Shopify Bogus Gateway misses real payment-failure paths. Confirm the order lands in the OMS, the 3PL receives it, the confirmation email sends with correct totals and tax, and the customer profile is created in Klaviyo. Refund the test order before launch.

Apply launch-day promo codes (WELCOME10, LAUNCH20, etc.) and confirm stacking rules behave as configured. Test a gift-card purchase and redemption end-to-end. Misconfigured stacking that lets customers chain three discount codes has cost DTC brands six figures on launch days.

Run test orders to addresses in CA, NY, TX, and any state where you've registered for nexus. Confirm Avalara / TaxJar / Anrok returns rates that match your registrations. Charging tax in states you're not registered in is a different problem than not charging where you are — both need fixing pre-launch.

Use Termly, Iubenda, or counsel-drafted policies. Cover GDPR, CCPA/CPRA, and the named subprocessors (Klaviyo, Shopify, Stripe, Gorgias, Yotpo). Link from the footer on every page including checkout. Out-of-date subprocessor lists are a routine GDPR audit finding.

OneTrust, Cookiebot, or Shopify's built-in CMP. Confirm Meta Pixel and GA4 do not fire before consent for EU/UK visitors. Enable the 'Do Not Sell or Share' link for California traffic and recognize Global Privacy Control (GPC) signals. CPRA enforcement specifically targets sites that ignore GPC.

Shopify Payments, Stripe, and PayPal handle SAQ A scope when integrated correctly. Confirm no card data touches your servers — any custom checkout that posts card fields to your domain bumps you to SAQ A-EP or D. Document the SAQ level in a compliance file.

Run Detectify, Intruder, or Mozilla Observatory against the production domain. Address any high-severity finding before launch. Disable directory listing, kill any exposed staging URLs, and confirm /admin and /wp-admin paths return 404 if they shouldn't exist.

Patch each high-severity finding, deploy the fix, and re-run the scan to confirm the remediation. Document residual risk for any finding that cannot be fixed before launch and get explicit sign-off from the founder or COO.

Build the campaign against the full subscriber list, segment by engagement (engaged 90 days vs. dormant), and set send time to the highest-engagement window per Klaviyo Smart Send Time. Send a final preview to the team distribution list before scheduling.

Confirm the agency or in-house PPC manager has launch creative loaded, daily budgets uplifted for week one, and ROAS / CPA targets set against the launch promo. Pacvue, Perpetua, or manual dayparting prevents budget exhaustion by 10am on launch day.

Update A / CNAME records at the registrar. Verify with dig and whatsmydns.net across multiple geographies. Lower TTL to 300s 24 hours before the cutover to make rollback fast if needed.

Place a real order on the live site, confirm the Klaviyo welcome flow fires, confirm GA4 and Meta Pixel record the purchase, and confirm the order routes to the 3PL. This is the last chance to catch a config that worked on staging but breaks on production.

Load Gorgias / Zendesk macros for the top 5 expected questions: shipping ETA, promo code issues, sizing, return policy, order changes. Staff CX coverage above baseline for the first 72 hours; launch ticket volume routinely runs 3-5x normal.