Just a list of things I had at the top of my mind. There may be a few ones I missed and a few more obscure ones, but these should be the majority of the most important best practices.
- Maintainability and time-to-market
- Modular architecture
- MVVM
- IoC/DI
- S.O.L.I.D.
- ORM for data access (NHibernate, Entity Framework)
- SOA only for Ajax and for true business services (not for plain vanilla data access)
- Command/Query separation aka PRG: post-redirect-get
- Needless to say, keep most classes free from references to ASP.NET objects
- Automated pro- and regression testing
- Automated compilation and test execution on schedule or on check-in
- Unit-tests (anything except MsTest, e.g. MbUnit)
- Code coverage measurement. Code coverage never goes down policy.
- UI tests (Selenium + RobotFramework)
- Automated deployment
- On-click deployment from the get-go. No manual error-prone steps.
- WiX- or MSDeploy- based deployment
- Automated post-deployment testing
- Strive for transparent no-downtime deployment
- Ensure that deployment does not interrupt users currently using the site
- Precompile code to prevent compilation slowdown
- Coding practices
- No VB.NET, only C#
- FxCop, NDepend to monitor coding standards
- Most importantly: no huge pages, no long methods, no monster classes
- Best of breed tools and technology for increased development productivity
- ASP.NET MVC – no WebForms
- ReSharper
- LESS CSS
- CSS Layout frameworks
- JQuery
- YUI or other GUI component library
- Modular architecture
- Performance/Scalability
- Defined performance requirements: throughput (reqs / sec), response time (page load time, time to complete basic operations), peek capacity (simultaneous users not necessarily clicking at the same time) etc.
- Automated measurement of load and performance metrics (record Windows PerfMon counters and make available on a website)
- Caching (at ORM level, at viewmodel level (memcached?), at page level (native IIS caching))
- Enable gzip/deflate compression for both static and dynamic content
- Async ASP.NET pages for long-running requests
- Distributed in memory Session provider (no DB based)
- Auto-minify javascripts & stylesheets
- Make sure pages are compiled in release mode
- Disable tracing
- Avoid LINQ when working with large data sets
- Use ORM profiling to ensure minimum interaction with RDBMS
- Validate pages using YSlow and implement basic optimizations (javascript at the bottom, css in the HEAD etc.)
- Implement load balancing using a web farm
- Improve perceived performance by implementing a job queue system for long running operations (reports etc.)
- Minimize use of ViewState
- Validate controls on the client side
- Use [Conditional] attribute for debug logging
- Never return unlimited dataset
- Uptime & problem management
- Defined SLA
- Required uptime window
- Maintenance (designated downtime) window
- Automated measurement of uptime metrics
- % uptime against defined SLA
- Mean time between failures
- Time to recover operations
- Problem detection
- Automated health monitoring (aka pinging, live smoke-testing)
- Using Selenium / Robot Framework
- Error reporting
- Use Elmah to report unexpected exceptions
- Automated health monitoring (aka pinging, live smoke-testing)
- Troubleshootability
- Logging using log4net
- Install Failed Request Tracing module and know how to use it
- Failproof system
- Analyze and avoid single point of failure
- Implement failover clustering
- Defined SLA
- Usability and user experience
- Multi browser support
- Test functionality in multiple browsers
- Use reset style sheet
- Use frameworks that isolate from browser differences (JQuery, CSS layout frameworks, component libraries)
- Back button support and Refresh-button tolerance
- Back-friendly URLs (using MVC route maps)
- Command/query separation
- Simplify complaints / feedback
- Implement user-friendly error messages
- Multi browser support
- Security
- HTTPS with real certificate (not self-signed)
- License an automated software suite to test against SQL injection, XSS, XSRF, session hijacking, etc
- Use an off the shelf authentication / authorization system, never design your own
- Hire a hacker once a year
