How We Score
BeaverCheck combines 100+ individual checks into a single composite grade. Here's exactly how it works.
Composite Score
Your overall A+–F grade is a weighted average of 8 scored categories. Each produces a 0–100 score, and the weighted average maps to a letter grade.
| Category | Weight | Rationale |
|---|---|---|
| Performance | 25% | Speed directly impacts user experience, SEO rankings, and conversion rates. |
| Security | 25% | Security vulnerabilities risk data breaches, compliance fines, and user trust. |
| Accessibility | 15% | Accessibility ensures your site works for everyone, including users with disabilities. |
| SEO | 10% | Search visibility drives organic traffic — the #1 acquisition channel for most sites. |
| Infrastructure | 10% | Hosting, DNS, and domain configuration are the foundation everything else runs on. |
| Compliance | 8% | GDPR/privacy compliance avoids legal risk and builds user trust. |
| Content | 5% | Content quality supports both SEO and user engagement. |
| Sustainability | 2% | Sustainability awareness is growing but not yet a business-critical metric. |
Technology, Availability, and Lighthouse tabs contribute to the above categories rather than being scored independently.
Grade Thresholds
Per-Category Scoring
Each category starts at 100 and deducts points based on finding severity. Critical findings deduct more than warnings.
Performance
25%Lighthouse Performance, Core Web Vitals, CrUX real-user data, render-blocking resources, third-party payload.
Security
25%SSL certificate, security headers, CSP, vulnerable libraries, security.txt, cookies.
Accessibility
15%Lighthouse Accessibility, screenshot contrast, heading hierarchy, ARIA landmarks, alt text.
SEO
10%Meta tags, structured data, Open Graph, hreflang, redirects, sitemap.
Infrastructure
10%DNS resolution, domain registration, SSL chain, IPv6, hosting provider, green hosting.
Compliance
8%Tracker detection, cookie/privacy policy, advertising consent, session replay.
Content
5%Readability scoring, image optimization, link analysis, content quality.
Sustainability
2%Page weight carbon estimation and green hosting verification.
Finding Severity System
Every check produces a finding with one of four severity levels.
Critical
Immediate action required. Broken functionality, security vulnerabilities, expired certificates. Deducts 15–25 points.
Warning
Should be fixed soon. Missing best practices, upcoming expiries. Deducts 5–10 points.
Informational
Worth knowing but not urgent. Optimization suggestions. Deducts 1–3 points.
Pass
Check passed successfully. No deduction.
Top Findings Algorithm
The executive summary shows the 5 most impactful findings across all tabs.
Each finding's priority is severityWeight x categoryWeight. A critical security finding ranks higher than a warning in content. Top 5 unique findings are shown.
score = severityWeight x categoryWeight
Critical = 4, Warning = 2, Info = 1
Top 5 findings = highest scored, deduplicated
Data Sources
BeaverCheck combines data from multiple open-source tools and public APIs.
Performance, accessibility, best practices, and SEO auditing via headless Chromium.
Real-user Chrome experience data (28-day P75 metrics).
1,000+ technology fingerprints from the enthec/webappanalyzer database.
Known JavaScript library vulnerabilities with CVE identifiers.
Green hosting verification — checks if the hosting provider uses renewable energy.
Domain registration data via the RDAP protocol (WHOIS fallback).
IP-to-ASN mapping for hosting provider identification.
Tab-by-Tab Breakdown
Click on any tab below to see exactly what is checked, the thresholds for each severity level, how the score is calculated, and answers to common questions.
Performance
25%Combines Lighthouse lab scores with CrUX real-user data, render-blocking detection, third-party payload analysis, and font loading audit.
Checks & Thresholds
| Check | Pass | Warning | Critical |
|---|---|---|---|
| Lighthouse Performance Score | ≥ 90 | 50–89 | < 50 |
| Largest Contentful Paint (LCP) | ≤ 2.5s | 2.5–4.0s | > 4.0s |
| Interaction to Next Paint (INP) | ≤ 200ms | 200–500ms | > 500ms |
| Cumulative Layout Shift (CLS) | ≤ 0.1 | 0.1–0.25 | > 0.25 |
| Render-blocking resources | 0 blocking scripts in <head> | 1+ blocking scripts | — |
| Third-party payload | < 30% of page weight | > 50% of page weight | — |
How the Score is Calculated
Starts at the Lighthouse Performance score. CrUX pass/fail adjusts ±5 points. Render-blocking and font-loading warnings deduct 2–3 points each. Third-party > 50% deducts 5.
Data Sources
Lighthouse (headless Chromium), Chrome UX Report API (28-day P75), Performance Resource Timing API.
Common Questions
Why is my Lighthouse score different from PageSpeed Insights?
Lighthouse scores vary 3–5 points between runs due to network conditions. BeaverCheck runs from dedicated servers with different network paths than Google's infrastructure.
Why don't I have CrUX data?
CrUX requires sufficient Chrome traffic (typically several thousand monthly page views). New or low-traffic sites won't have CrUX data.
What does 'render-blocking' mean?
A render-blocking resource is a script or stylesheet in <head> that prevents the browser from rendering content until it's downloaded. Adding defer or async eliminates the blocking.
Security
25%Analyzes SSL/TLS certificate health, security headers, CSP configuration, known JS library vulnerabilities, security.txt compliance, and cookie flags.
Checks & Thresholds
| Check | Pass | Warning | Critical |
|---|---|---|---|
| SSL certificate expiry | > 30 days remaining | 14–30 days | < 14 days or expired |
| TLS version | TLS 1.3 | — | TLS 1.0 or 1.1 |
| Content Security Policy | CSP present, no unsafe-inline/eval | Uses unsafe-inline, unsafe-eval, or wildcards | No CSP header |
| Vulnerable JS libraries | No known CVEs | Medium-severity CVEs | High/critical CVEs |
| security.txt (RFC 9116) | Present with required fields | Missing required fields or expired | — |
| Security headers | X-Frame-Options, X-Content-Type-Options present | 1–2 headers missing | Most headers missing |
How the Score is Calculated
Starts at 100. SSL expired -20, no CSP -10, unsafe-inline -5, vulnerable libraries -10 per critical CVE, missing headers -3 each.
Data Sources
TLS certificate analysis, HTTP security headers (CSP, HSTS, etc.), CVE vulnerability matching, RFC 9116 (security.txt).
Common Questions
What's the difference between unsafe-inline and a nonce-based CSP?
unsafe-inline allows ANY inline script — including XSS payloads. A nonce-based CSP only allows scripts with a specific unpredictable token that changes every page load.
A library has a CVE but we don't use the vulnerable function. Is it still a risk?
The CVE is flagged because you might start using the vulnerable function later, and it signals maintenance debt. We recommend upgrading regardless.
Why does missing security.txt only deduct 1 point?
security.txt is a best practice for vulnerability disclosure, not a direct security control. Its absence doesn't make your site vulnerable.
Accessibility
15%Combines Lighthouse Accessibility score with screenshot-based contrast analysis, heading hierarchy validation, ARIA landmark detection, and alt text coverage.
Checks & Thresholds
| Check | Pass | Warning | Critical |
|---|---|---|---|
| Lighthouse Accessibility Score | ≥ 90 | 70–89 | < 70 |
| Screenshot contrast (WCAG AA) | All elements pass 4.5:1 or 3:1 for large text | — | Any element below WCAG AA threshold |
| Heading hierarchy | Single H1, sequential order | Multiple H1 or skipped levels | No H1 found |
| ARIA landmarks | main, nav, header, footer present | Missing main or nav | — |
| Image alt text | All images have alt text | 1+ images missing alt | — |
How the Score is Calculated
Starts at Lighthouse Accessibility score. Each screenshot contrast failure deducts 3. Missing H1 deducts 5, skipped levels deduct 2 each. Missing main landmark deducts 3.
Data Sources
Lighthouse (accessibility audit), desktop screenshot pixel sampling (WCAG contrast), DOM walk (headings, landmarks, alt attributes).
Common Questions
How is screenshot contrast different from Lighthouse?
Lighthouse checks CSS computed colors. Our screenshot analysis samples actual rendered pixels, catching text over background images and gradients that CSS tools miss.
Why only top 20 text elements?
Lighthouse already checks all elements for CSS contrast. We target cases it misses (text over images), which disproportionately affect large, prominent elements.
SEO
10%Checks meta tags, structured data with Google rich result validation, Open Graph tags, hreflang, redirect chains, and sitemap/robots.txt.
Checks & Thresholds
| Check | Pass | Warning | Critical |
|---|---|---|---|
| Meta tags (title, description, canonical) | All present, appropriate length | Missing description or title too long | Missing title |
| Structured data (Schema.org) | All required fields present | Missing recommended fields | Missing required fields |
| Open Graph tags | og:title, og:description, og:image present | 1+ OG tags missing | — |
| Redirect variants | Consistent redirects | Inconsistent or chain > 2 hops | — |
| Sitemap & robots.txt | Both present and valid | Missing sitemap or robots.txt | — |
How the Score is Calculated
Starts at 100. Missing title -20, missing description -5, missing canonical -3. Schema missing required fields -5 per type. Missing OG tags -2 each.
Data Sources
DOM walk (meta tags, structured data, OG tags), HTTP HEAD requests (redirect variants), robots.txt and sitemap fetch.
Common Questions
What Schema.org types do you validate?
We validate 12 types against Google's rich result requirements: Product, Recipe, Article, NewsArticle, FAQPage, LocalBusiness, BreadcrumbList, Event, HowTo, VideoObject, Organization, WebSite.
Why do redirect variants matter?
If example.com and www.example.com both serve content instead of redirecting, search engines may split your page authority across multiple URLs.
Content
5%Analyzes readability (Flesch-Kincaid, Gunning Fog), image optimization, link quality, and content depth.
Checks & Thresholds
| Check | Pass | Warning | Critical |
|---|---|---|---|
| Readability (Flesch-Kincaid) | FK ≤ 8 and Flesch Ease ≥ 60 | FK 9–12 or Flesch Ease 30–59 | — |
| Image optimization | No oversized images, modern formats | Oversized images or all legacy formats | — |
| Image alt text | All images have alt | 1+ missing alt | — |
How the Score is Calculated
Starts at 100. High readability (FK > 12) -5. Oversized images -2 each (max 10). Missing dimensions -2 each. All legacy formats -5.
Data Sources
DOM walk (images, links), readability algorithms (Flesch-Kincaid, Gunning Fog, Coleman-Liau).
Common Questions
What readability level should I aim for?
For general web content, aim for Flesch-Kincaid grade 6–8. This means clear, direct language — not dumbing down.
Infrastructure
10%Checks DNS resolution speed, RDAP/WHOIS domain registration, ASN/hosting identification, IPv6, green hosting, and redirect variants.
Checks & Thresholds
| Check | Pass | Warning | Critical |
|---|---|---|---|
| DNS resolution time | < 100ms | 100–200ms | > 200ms |
| Domain expiry | > 90 days | 30–90 days | < 30 days or expired |
| IPv6 | AAAA record available | — | — |
How the Score is Calculated
Starts at 100. Domain expired -25, expiring < 30 days -15, slow DNS -5. No IPv6 -2.
Data Sources
openrdap/rdap, likexian/whois, Team Cymru DNS (IP→ASN), Green Web Foundation API, Go net.Resolver.
Common Questions
What is RDAP?
RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS. It returns structured JSON instead of unformatted text. We fall back to WHOIS for TLDs that don't support RDAP yet.
Technology
Detects 1,000+ technologies using BeaverCheck, groups into a 7-layer stack diagram, and cross-references with the NVD via CPE identifiers. This tab is informational and does not contribute to the composite score.
How the Score is Calculated
Informational only — no numeric score. Technologies with CPE identifiers link to the NVD. Vulnerable libraries are also flagged in the Security tab where they affect the score.
Data Sources
BeaverCheck detection engine (1,000+ technology fingerprints), CPE cross-referencing, custom detection rules.
Common Questions
Why does a technology show as 'detected by both'?
When multiple detection methods identify the same technology, we merge results: BeaverCheck merges version metadata with detection evidence.
Compliance
8%Detects third-party trackers, checks for cookie and privacy policy presence, and flags trackers requiring GDPR consent.
Checks & Thresholds
| Check | Pass | Warning | Critical |
|---|---|---|---|
| Third-party trackers | No trackers, or trackers with policies present | Trackers without policies, ad trackers, session replay | — |
How the Score is Calculated
Starts at 100. Trackers without cookie policy -10. Without privacy policy -10. Ad trackers -5 each (max 15). Session replay -5 each.
Data Sources
BeaverCheck category cross-reference (Analytics, Advertising, Tag Managers, Session Replay). Cookie/privacy policy detected via DOM walk.
Common Questions
How do you detect trackers?
BeaverCheck analyzes detected technologies and checks their categories. Technologies in Analytics, Advertising, Tag Managers, or Session Replay categories are classified as trackers.
Availability
Checks HTTP/3 support, HSTS policy, TLS version, response time, and redirect chains.
Checks & Thresholds
| Check | Pass | Warning | Critical |
|---|---|---|---|
| HTTP/3 (QUIC) | Alt-Svc advertises h3 | — | — |
| HSTS | max-age ≥ 1 year, includeSubDomains | Short max-age or missing includeSubDomains | Missing HSTS header |
How the Score is Calculated
Starts at 100. Missing HSTS -10. Short max-age -5. No includeSubDomains -2. No HTTP/3 -2.
Data Sources
HTTP response headers (Alt-Svc, Strict-Transport-Security), TLS handshake analysis (protocol version, cipher suite).
Sustainability
2%Estimates carbon footprint per page load and checks green hosting status via the Green Web Foundation.
Checks & Thresholds
| Check | Pass | Warning | Critical |
|---|---|---|---|
| Carbon estimate | < 0.5g CO₂ per page view | 0.5–1.0g CO₂ | — |
| Green hosting | Verified green by GWF | — | — |
How the Score is Calculated
Starts at 100. High carbon (> 1g) -10. Not green hosted -5. Sustainability carries only 2% composite weight.
Data Sources
Page transfer size, carbon formula (0.81 kWh/GB), Green Web Foundation API.
Common Questions
How accurate is the carbon estimate?
It's a rough estimate based on transfer bytes and global grid carbon intensity. Treat it as directional, not precise.
Lighthouse
Shows raw Lighthouse scores for Performance, Accessibility, Best Practices, and SEO, plus Core Web Vitals. Feeds data into Performance and Accessibility tabs.
How the Score is Calculated
No independent score. Performance score feeds the Performance category. Accessibility score feeds the Accessibility category. BP and SEO shown for reference.
Data Sources
Google Lighthouse 12.x via headless Chromium. Mobile: Moto G Power emulation, 4G throttling. Desktop: default viewport, no throttling.
Common Questions
Why run both mobile and desktop?
Google uses mobile-first indexing, so mobile performance affects search rankings. But many users browse on desktop. Running both lets you compare and prioritize.
Still have questions?
Check our FAQ