Documentation
Auditor runs a privacy-first audit engine with 230+ checks across 11 categories. Here’s how each surface behaves, and what you can honestly expect.
How audits run
Everything happens in-process. The engine fetches the target URL, parses the HTML with ksoup, and runs a sequence of static checks across SEO, Security, Best Practices, PWA, Accessibility (static subset), Content, Internationalization, and Social categories. On native apps, a RenderHarness (Android WebView, iOS WKWebView, desktop embedded Chromium) additionally loads the page, injects axe-core and web-vitals, and merges the rendered-mode findings into the same report.
Category breakdown
Performance
Core Web Vitals (LCP/INP/CLS/FCP/TTFB) on native apps; TTFB, compression, image formats, font-display, resource hints on all surfaces.
35 checks (8 WASM · 27 native)
SEO
Title, description, canonical, hreflang, sitemap.xml, robots.txt, JSON-LD schema, heading hierarchy, duplicates across crawl.
30 checks (28 WASM)
Accessibility
Static alt/lang/labels + full axe-core 4.10 rule set on native apps. Every finding labelled auto-detectable vs needs-manual-review.
40 checks (7 WASM · 33 native)
Best Practices
DOCTYPE, charset, duplicate IDs, rel=noopener, mixed content, eval usage, third-party script count/weight.
20 checks (14 WASM)
Security
HTTPS, HSTS, CSP, cookie flags, SRI, Permissions-Policy, vulnerable JS libraries (Retire.js signatures). TLS cert chain on native.
35 checks (25 WASM · 10 native)
Social / Rich Results
OpenGraph required tags, Twitter card, schema.org Article/Product/LocalBusiness/FAQ.
12 checks (all WASM)
Content Quality
Image alt + dimensions, redirect chains, broken links across crawl, responsive srcset, vague link text.
18 checks (14 WASM)
Internationalization
Valid BCP 47 lang, dir=rtl for RTL languages, hreflang reciprocity, UTF-8.
8 checks
PWA
Manifest linked, theme-color, apple-touch-icon, viewport with device-width.
15 checks
Discoverability
robots.txt, sitemap.xml, /.well-known/security.txt, favicon, /.well-known/change-password.
7 checks
DNS (opt-in)
SPF, DMARC, DKIM via Cloudflare DoH — email deliverability hygiene for domains you own.
6 checks
What runs where
| Capability | Web | Desktop | Mobile |
|---|---|---|---|
| Fetch arbitrary URL HTML | CORS-bound · paste-HTML fallback | ✓ full | ✓ full |
| Static SEO / headers / schema | ✓ | ✓ | ✓ |
| Vulnerable libraries (Retire.js) | ~ partial (inline scripts) | ✓ | ✓ |
| LCP / INP / CLS / FCP / TTFB | ✗ | ✓ (embedded engine) | ✓ (WebView) |
| axe-core full rule set | ~ static subset | ✓ | ✓ |
| Simulated mobile throttling | ✗ | ✓ (CDP · Slow 4G) | Real-device unthrottled |
| PDF export | Save-as-PDF via browser | ✓ (PDFBox) | ✓ (native PDF APIs) |
| TLS certificate inspection | ✗ | ✓ | ~ via native SSL APIs |
Why we’re honest about limits
Deque’s own telemetry says axe-core detects about 57% of WCAG issues automatically. Every competitor buries this. We surface it: each Finding in the Accessibility category is tagged Auto-detected or Needs manual review, and our report includes a manual-review checklist to cover the other 43%.
Lighthouse scores also famously vary between runs (CPU, cache, extensions). We render three runs and show the distribution band on the score gauge so you never rely on a single magic number.
Privacy promise
Verify yourself with Little Snitch / Proxyman / Wireshark. The only network traffic generated by the auditor is: (1) the target URL you entered, plus its robots.txt and sitemap.xml, and (2) an optional monthly refresh of the Retire.js vulnerability signatures — which you can disable in Settings.