SP-API Migration Validator Run free scan

Migration assurance

Trust and verification status

This page distinguishes implementation checks from production sign-off. Local tests and a Cloudflare Quick Tunnel can prove the app is wired together, but they do not prove final security, accessibility, performance, uptime, webhook reliability or SEO behavior on the real production domain.

What is verified in implementation

These checks are visible in the app or covered by local regression tests, but they are not a substitute for black-box production verification.

Pending black-box verification

The items below must be checked from the deployed public origin before launch. They should not be marked pass from unit tests, local browser checks or a trycloudflare URL.

AreaCurrent statusRequired evidence
CSPPENDING_BLACK_BOXVerify from the final HTTPS production domain.
HSTSPENDING_BLACK_BOXVerify from the final HTTPS production domain.
X-Content-Type-OptionsPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Permissions-PolicyPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Referrer-PolicyPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Cookies and Set-Cookie attributesPENDING_BLACK_BOXVerify from the final HTTPS production domain.
API meta fieldsPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Demo unlock behaviorPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Billing feature flagsPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Source/report retention valuesPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Robots directivesPENDING_BLACK_BOXVerify from the final HTTPS production domain.
SitemapPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Canonical URLsPENDING_BLACK_BOXVerify from the final HTTPS production domain.
JSON-LDPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Upload flowPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Scan accuracy on representative fixturesPENDING_BLACK_BOXVerify from the final HTTPS production domain.
Error statesPENDING_BLACK_BOXVerify from the final HTTPS production domain.

Accessibility checks that remain manual

Automated tools help find issues, but W3C WAI notes that tools cannot determine full accessibility by themselves. Keyboard and screen-reader behavior require human review; RUM can measure field Core Web Vitals, errors, route timing and interaction latency, but it cannot prove NVDA/VoiceOver output, focus order or dialog focus traps.

AreaCurrent statusRequired evidence
Keyboard navigation and visible focus orderPENDING_MANUALManual keyboard QA with visible focus-order notes and dialog/focus-trap checks.
Screen-reader output with real assistive technologyPENDING_MANUALNVDA and/or VoiceOver manual QA; RUM cannot prove screen-reader output.
Responsive mobile UI across target devicesPENDING_MANUALReal-device/browser QA across target viewport and input combinations.
Lighthouse lab performance on production infrastructurePENDING_MANUALAutomated Lighthouse lab test from the production HTTPS origin.
Field Core Web Vitals from real-user monitoringPENDING_MANUALProduction RUM field data for LCP, CLS, INP and route/error timing.

Quick Tunnel is demo infrastructure only

The current trycloudflare tunnel is useful for local development and demo review. It must not be used as evidence for production operations, callbacks or SEO.

Do not conclude from Quick TunnelReason
Production uptimeRequires stable production infrastructure and the final domain.
Final latencyRequires stable production infrastructure and the final domain.
Load capacityRequires stable production infrastructure and the final domain.
Paddle webhook reliabilityRequires stable production infrastructure and the final domain.
Email link reliabilityRequires stable production infrastructure and the final domain.
SEO behavior on the real domainRequires stable production infrastructure and the final domain.

Production sign-off checklist

Frequently asked questions

Does passing automated accessibility checks prove accessibility?

No. Automated checks assist review; manual keyboard and screen-reader testing remains required.

Can the Cloudflare Quick Tunnel be used for Paddle webhooks or SEO validation?

No. Use it for development/demo only; production callbacks and SEO validation need a stable production domain.

Official sources

Treat production verification as a release gate

Use the final domain and real infrastructure before marking security, accessibility, SEO or performance as passed.

Recommended next action

Last reviewed: 2026-07-02.

Open the interactive scanner: /app#/production-readiness