How the audit works
We run every URL through the same checks. Here is what each one looks for, and why it matters.
Performance
We run Lighthouse twice, once on a throttled mobile profile and once on desktop, with the same defaults Google uses. Failing audits show up as individual findings you can click through.
SEO
We read your homepage the way a search engine does. Title, description, canonical, Open Graph, hreflang, JSON-LD schema. We pull robots.txt and your sitemap, then sanity-check both.
Accessibility
We test every audited page against WCAG 2.2 at level AA using the W3C's WCAG-EM evaluation methodology so the scope, sample and report are reproducible. The automated checks run through axe-core, which implements the W3C ACT Rules standard. WCAG 2.2 AA is also the conformance bar required by the EU's European Accessibility Act via the harmonized standard EN 301 549.
Security
Both http:// and https:// sites are accepted, and on every audit we check that the http:// version redirects properly to https://. We check the protective headers your browser uses to defend itself, the cookie attributes that stop session theft, mixed-content slips, and we do a non-intrusive look at sixteen sensitive paths like /.git or /wp-admin. For password-protected sites (HTTP basic auth, Shopify password pages, Netlify password protection, Cloudflare Access, Vercel preview deployments) open Advanced options on the form and paste the password. WordPress maintenance pages and other "coming soon" plugins are detected but cannot be bypassed from outside; we flag them clearly so you know what you're seeing. We never try to exploit anything.
Hosting and infra
How fast your server responds (TTFB), what TLS version it speaks, whether you publish IPv6, whether you preload HSTS, and how long your redirect chain is. The honest plumbing layer most tools skip.
Tech stack
A Wappalyzer-compatible fingerprinter built on the open-source signature set (the community fork at github.com/tunetheweb/wappalyzer), plus our own end-of-life version data sourced from endoflife.date.
A focused fingerprinter that recognizes the building blocks: CMS, framework, server, JavaScript libraries, page builders, analytics, and modern setups like Jamstack and static site generators (Next.js, Astro, Eleventy, Hugo, Gatsby). Anything end-of-life, abandoned, or known-vulnerable gets flagged so you can plan a swap or a rebuild.
Visual
We take a screenshot of your homepage at four common viewport widths, extract the dominant color palette from the largest one, and count the distinct web font families. Useful for spotting layout mistakes and font sprawl.
Carbon
We estimate the grams of CO₂ your homepage emits per visit using the Sustainable Web Design v4 model (2024), computed via the Green Web Foundation's CO2.js library. v4 separates operational and embodied emissions across data centers, networks and user devices, and replaces the old binary green-host check with a sliding factor.
Severity scale
Every finding carries one of five labels. The four score rings on the report aggregate findings by severity so you see the headline number at a glance, with the detail one click away.
Privacy
Every report lives at a random unguessable URL. We do not log the IP of people who visit a report. We do not share reports with anyone. If you do not paste the link, nobody sees it.