Scanners

WCAG 2.2 AA compliance audit. Checks alt text, contrast ratios, ARIA attributes, keyboard navigation, heading hierarchy, and form labels using axe-core.

• WCAG 2.2 AA compliance
• axe-core powered
• ARIA & keyboard navigation

UX state completeness audit. Verify your app handles 404, 500, empty states, and loading states with appropriate UI feedback.

• 404 / 500 / empty states
• Loading state coverage
• Error boundary checks

Color-blindness simulation across protanopia, deuteranopia, and tritanopia. Validates text contrast, icon labeling, and color-only cues.

• Protanopia / deuteranopia / tritanopia
• Color-only cue detection
• Contrast ratio validation

Screen-reader reading order simulation beyond axe-core. Validates DOM order, live region announcements, and interactive element focus flow.

• DOM reading order
• Live region announcements
• Focus flow validation

Animation and reduced-motion compliance. Check for prefers-reduced-motion support, excessive motion, and GPU-composited animation usage.

• prefers-reduced-motion support
• GPU-composited animations
• Excessive motion detection

Simulate touch gestures and validate behavior on mobile viewports. Check swipe, pinch-to-zoom, and scroll event handling.

• Swipe & pinch-to-zoom
• Mobile viewport behavior
• Scroll event handling

Validate touch target sizes across all interactive elements. Flags any tap targets smaller than the 48×48px accessibility minimum.

• 48×48px tap target enforcement
• Interactive element sizing
• Spacing between targets

Test landscape/portrait orientation transitions and safe area insets for iPhone notch, Dynamic Island, and Android chin.

• Landscape / portrait transitions
• Safe area insets
• Dynamic Island & notch support

Core Web Vitals (LCP, CLS, INP), performance score, and page load metrics. Know if your site feels fast to real users on real devices.

• Core Web Vitals (LCP, CLS, INP)
• Lighthouse performance score
• Real-device simulation

Enforce LCP/CLS/INP/FID performance budgets. Fail the build when Core Web Vitals exceed configured thresholds.

• LCP / CLS / INP / FID budgets
• CI gate integration
• Regression alerting

Audit page weight, third-party asset weight, and render-blocking resources. Identify oversized images, undeferred scripts, and slow third-party calls.

• Page weight & third-party weight
• Render-blocking resources
• Undeferred scripts

Analyze JavaScript bundle sizes and enforce size budgets. Detect unnecessary code splitting opportunities and unused module exports.

• JS bundle size analysis
• Code-splitting opportunities
• Unused module detection

Measure Time-to-First-Byte from multiple geographic regions (US East, US West, EU, APAC). Surface regional performance regressions.

• Multi-region TTFB measurement
• US East / West / EU / APAC
• Regional regression detection

Simulate 3G and 4G network conditions. Validate that your site remains usable and passes Core Web Vitals targets on constrained connections.

• 3G / 4G network simulation
• Core Web Vitals under throttle
• Constrained connection UX

Detect JavaScript memory leaks over extended browser sessions. Profiles heap snapshots over repeated navigation cycles.

• Heap snapshot profiling
• Extended session simulation
• Repeated navigation cycles

Full Lighthouse audit optimized for mobile simulation — Moto G4 emulation, 4G throttling, and mobile-specific performance benchmarks.

• Moto G4 emulation
• 4G throttling
• Mobile-specific benchmarks

Image optimization, font loading, and lazy-loading audit. Surface uncompressed images, render-blocking fonts, and missing lazy-load attributes.

• Image compression audit
• Font render-blocking
• Lazy-load coverage

Meta tags, Open Graph, Twitter Cards, structured data, canonical URLs, heading hierarchy, robots.txt, sitemap, and image alt coverage.

• Meta tags & Open Graph
• Structured data & canonical
• robots.txt & sitemap

Audit every form on the page: label associations, required attributes, autocomplete hints, CSRF protection, submit buttons, and placeholder-as-label patterns.

• Label associations
• CSRF protection
• Autocomplete & required attrs

Crawl for dead links, missing images, broken scripts, and mixed HTTP/HTTPS content. Find the 404s before your users do.

• Dead links & 404s
• Missing images & scripts
• Mixed content issues

WordPress, Drupal, and CMS health check. Detect outdated core versions, vulnerable plugins, and exposed admin endpoints.

• WordPress / Drupal health
• Outdated plugins & themes
• Exposed admin endpoints

Identify frameworks, libraries, and server technologies in use. Cross-reference versions against known issues.

• Framework & library detection
• CVE cross-referencing
• Outdated dependency flags

• XSS & SQL injection
• OWASP Top 10 vulnerabilities
• Insecure configurations

HTTP header best practices: Content-Security-Policy, HSTS, X-Frame-Options, Permissions-Policy, Referrer-Policy, and more.

• CSP & X-Frame-Options
• HSTS & Referrer-Policy
• Permissions-Policy

• OWASP ZAP active probing
• Injection & auth bypass
• Misconfiguration detection

Deep Content Security Policy audit. Parses and grades your CSP header: detects unsafe-inline, unsafe-eval, wildcard hosts, missing directives, and report-uri configuration.

• CSP header grading
• unsafe-inline / unsafe-eval detection
• report-uri configuration

CORS configuration audit. Detects permissive `Access-Control-Allow-Origin: *`, missing `Vary: Origin`, credentials with wildcard, and pre-flight misconfiguration that enables cross-origin data theft.

• Wildcard origin detection
• Credentials + wildcard check
• Pre-flight misconfiguration

Privacy and data exposure scan. Detects PII leakage in responses, third-party tracker loading, exposed API keys and tokens in JS, and GDPR/CCPA consent flow gaps.

• PII leakage detection
• Third-party tracker audit
• Exposed API keys in JS

Cookie compliance for GDPR/CCPA. Detect tracking cookies set before consent, missing Secure/HttpOnly flags, and third-party scripts loading without opt-in.

• Pre-consent tracking cookies
• Missing Secure & HttpOnly flags
• Third-party script audit

Check loaded JavaScript libraries for known vulnerabilities, outdated versions, and exposed package manifests.

• Known vulnerable JS libraries
• Outdated npm dependencies
• Client-side risk scoring

REST and GraphQL endpoint quality: authentication checks, rate limiting, data exposure, and error handling patterns.

• Broken authentication
• Rate limiting issues
• Excessive data exposure

GraphQL schema validation and security audit. Detects introspection exposure, field-level authorization gaps, nested query DoS vectors, and broken object-level access control.

• Introspection exposure
• Nested query DoS vectors
• Field-level auth gaps

OpenAPI 3.x / Swagger spec compliance and live API fuzz testing. Validates that live responses conform to the declared schema — surfaces undocumented fields and broken contracts.

• OpenAPI 3.x spec compliance
• Live API fuzz testing
• Undocumented field detection

OpenAPI contract testing. Validates that your live API responses match the schema defined in your OpenAPI spec.

• OpenAPI contract validation
• Response schema conformance
• Breaking change detection

Synthetic transaction monitoring. Multi-step user flows (login → checkout → confirm) run on a schedule to verify critical paths are working.

• Multi-step user flows
• Login → checkout → confirm
• Scheduled critical-path checks

Cross-browser validation using Firefox headless. Catch rendering differences, layout shifts, and behavior inconsistencies specific to the Gecko engine.

• Gecko engine rendering
• Layout shift detection
• JS behavior inconsistencies

Cross-browser validation using WebKit/Safari headless. Essential for catching Safari-specific CSS and JS quirks before users report them.

• Safari-specific CSS quirks
• WebKit JS bugs
• Cross-browser validation

PWA audit: service worker registration, offline mode support, install flow, push notifications, and manifest validity.

• Service worker registration
• Offline mode support
• Manifest & install flow

Continuous availability monitoring with alerting. Track response time, status codes, SSL expiry, and keyword presence.

• 1-minute global pings
• Keyword + status-code checks
• SSL / cert expiry alerts

CDN & cache header analysis. Inspects Cache-Control, Vary, ETag, CDN provider detection, and cache-busting correctness.

• Cache-Control & Vary headers
• CDN provider detection
• Cache-busting correctness