Go-Live Assurance — Implementation Checklist
Part 1: Audit Fixes
CRITICAL
- [x] 1. Add security headers to
_headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- [x] 2. Fix CORS wildcard in
functions/api/forgescan/scan.ts — restrict to domainforge.co.uk
- [x] 3. Fix broken links in
blog/cornerstone.md + blogcta.njk default link
- [x] 4. Fix dead CTAs in forgemigrate-hero, forgeacademy-hero, lead-form, forgeacademy-curriculum
HIGH
- [x] 5. Remove console.log from
scripts.js
- [x] 6. Replace alert() with inline UI notifications in scripts.js, inboxguard, domainwatch
- [x] 7. Add
draft: true + permalink: false to blog/test_post.md
MEDIUM
- [x] 8. Add
robots.txt
- [x] 9. Fix www URLs in Schema.org markup (forgeacademy.md, forgemigrate.md)
Part 2: New Tests
- [x] 10.
tests/security-headers.test.mjs (6 tests)
- [x] 11.
tests/link-integrity.test.mjs (4 tests)
- [x] 12.
tests/build-output.test.mjs (6 tests)
- [x] 13.
tests/client-code-quality.test.mjs (4 tests)
- [x] 14.
tests/cors-and-endpoints.test.mjs (4 tests)
- [x] 15.
tests/seo-meta.test.mjs (5 tests)
Part 3: Verification
- [x] 16.
npm run ci:check — 51/51 tests passing, zero failures
Part 4: Full Sweep (Go-Live Readiness)
CRITICAL
- [x] 1. Fix ForgeScan checkout data flow — scan results now stored in KV with scanKey, passed through checkout to webhook
- [x] 2. Remove server-side console.log debug statements from all functions/api/ files
HIGH
- [x] 3. Fix PUBLIC_BASE_URL www inconsistency in wrangler.toml
- [x] 4. Fix trailing slash in fix/thanks.njk
- [x] 5. Fix www URLs in PDF templates
- [x] 6. Fix ForgeMigrate hero pricing to match pricing table (From £299)
MEDIUM
- [x] 7. Add custom 404 page
- [x] 8. Generate and add favicons from shield logo
- [x] 9. Move puppeteer and @react-pdf/renderer to devDependencies (removed — not used in Functions)
- [x] 10. Reduce JS/CSS cache from 1 year to 1 week (no content hashing)
NOTES
- [ ] DomainWatch requires an external scheduler (cron) before going live — not supported in Cloudflare Pages