Scan Profiles.
AppVet runs 84 checks across 9 profiles in 5 scan types. Each scan type costs 1 credit regardless of the number of checks. Security, Performance, Accessibility, and SEO are available to everyone; Quality is available to signed-in users.
Security 1 credit
Scans for vulnerabilities, misconfigurations, and sensitive data exposure. 27 checks across 3 profiles.
Headers & TLS Config
| Check | What it tests |
|---|---|
| HSTS | Forces HTTPS-only connections — prevents protocol downgrade attacks |
| CSP | Controls which scripts can run — primary defense against XSS injection |
| X-Frame-Options | Prevents your site from being embedded in malicious iframes (clickjacking) |
| X-Content-Type-Options | Stops browsers from guessing file types — prevents MIME-sniffing attacks |
| Referrer-Policy | Controls what URL data is leaked to third-party sites when users click links |
| Permissions-Policy | Blocks third-party scripts from accessing camera, microphone, geolocation |
| Server Disclosure | Exposed server version helps attackers target known vulnerabilities |
| HTTPS Redirect | HTTP traffic should redirect to HTTPS — otherwise data is sent in plain text |
| Cookie HttpOnly | Prevents JavaScript from reading cookies — blocks XSS session theft |
| Cookie Secure | Ensures cookies are only sent over HTTPS — prevents network interception |
| Cookie SameSite | Prevents cookies from being sent with cross-site requests — blocks CSRF attacks |
| CORS Configuration | Misconfigured CORS can let any website read your API responses |
Sensitive File Exposure
| Check | What it tests |
|---|---|
| .env Exposure | Environment files contain database credentials and API keys — must not be public |
| .git Config Exposure | Exposed Git config lets attackers discover repo structure and remote URLs |
| .git HEAD Exposure | Confirms the entire .git directory may be downloadable — full source code leak |
| WordPress Admin | Publicly accessible wp-admin is a common brute force target |
| Admin Panel Exposure | Publicly accessible admin panels are prime targets for brute force attacks |
| .DS_Store Exposure | macOS .DS_Store files reveal directory structure and file names |
| Server Status Page | Apache server-status reveals active connections, request URLs, and client IPs |
| Directory Listing | Reveals your file structure to attackers — shows what to target |
| robots.txt Analysis | Disallow entries can inadvertently reveal sensitive paths to attackers |
| security.txt Check | security.txt enables responsible disclosure — good practice for vulnerability reports |
Client-Side Security
| Check | What it tests |
|---|---|
| Vulnerable JS Libraries | Outdated JavaScript libraries with known CVEs can be exploited remotely |
| Missing SRI | Without Subresource Integrity, compromised CDNs can inject malicious scripts |
| Mixed Content | Loading HTTP resources on HTTPS pages weakens encryption and triggers browser warnings |
| Insecure Form Actions | Forms submitting to HTTP endpoints expose user data in transit |
| Deprecated APIs | Deprecated browser APIs may be removed — breaking functionality without warning |
Performance 1 credit
Measures load speed, Core Web Vitals, and asset optimization. 26 checks across 2 profiles.
Core Web Vitals & Page Load
| Check | What it tests |
|---|---|
| Largest Contentful Paint (LCP) | How fast the main content loads — Google ranking factor, target <= 2.5s |
| Cumulative Layout Shift (CLS) | How much the page jumps around while loading — Google ranking factor, target <= 0.1 |
| Total Blocking Time (TBT) | How long the page is frozen and unresponsive — target <= 200ms |
| First Contentful Paint (FCP) | Time until the first text or image appears — target <= 1.8s |
| Speed Index | How quickly content is visually populated — lower is better |
| Time to Interactive (TTI) | When the page becomes fully interactive — target <= 3.8s |
| Time to First Byte (TTFB) | Server response time — slow TTFB delays everything else |
| Redirects | Each redirect adds 100-500ms of latency — minimize redirect chains |
| Render-Blocking Resources | CSS/JS that blocks page rendering — defer or inline critical resources |
| Unused JavaScript | JavaScript that's downloaded but never executed — wastes bandwidth |
| Unused CSS | CSS rules that don't match any element — increases parse time |
| Image Optimization | Unoptimized images are the #1 cause of slow page loads |
| Text Compression | Gzip/Brotli compression can reduce transfer size by 70-90% |
| Minified JS/CSS | Unminified code wastes bytes — minification is free performance |
| Modern Image Formats | WebP/AVIF are 25-50% smaller than JPEG/PNG with same quality |
| Efficient Animated Content | Animated GIFs are huge — use video formats for 80%+ size reduction |
| Third-Party Script Impact | Third-party scripts (analytics, ads, widgets) can dominate load time |
| Third-Party Facades | Lazy-load third-party embeds (YouTube, maps) until user interacts |
| JS Execution Time | Heavy JavaScript execution blocks the main thread — keep it under 3.5s |
| Main Thread Work | Total main thread activity — parsing, compiling, painting. Keep under 4s |
Asset Optimization
| Check | What it tests |
|---|---|
| Total Page Weight | Total bytes downloaded — lighter pages load faster on all networks |
| Cache Policy | Long cache TTLs prevent re-downloading unchanged assets |
| Offscreen Images | Images below the fold should lazy-load — don't waste bandwidth on hidden content |
| Font Display | font-display: swap prevents invisible text while custom fonts load |
| Preload Key Requests | Preloading critical resources starts downloads earlier |
| Preconnect to Origins | Early DNS/TLS handshakes to third-party origins save 100-300ms |
Accessibility 1 credit
Tests against WCAG 2.1/2.2 success criteria for automated compliance. 12 checks in 1 profile.
WCAG 2.1/2.2 Automated Compliance
| Check | What it tests |
|---|---|
| Non-text Content (alt text) | Screen readers can't describe images without alt text — 1 billion+ people with disabilities rely on this |
| Info & Relationships (semantic structure) | Proper HTML structure lets assistive technology understand page layout |
| Use of Color | Information conveyed only by color is invisible to colorblind users (8% of men) |
| Contrast Minimum (4.5:1 ratio) | Low contrast text is unreadable for users with low vision or in bright sunlight |
| Resize Text (200% zoom) | Users with low vision need to zoom — content must remain usable at 200% |
| Reflow (320px width) | Content must work at 320px width without horizontal scrolling — mobile and zoom users |
| Non-text Contrast (UI components) | Buttons, inputs, and icons need sufficient contrast to be visible |
| Bypass Blocks (skip navigation) | Keyboard users need a way to skip past repeated nav — saves hundreds of tab presses |
| Headings and Labels | Proper heading hierarchy lets screen reader users navigate by section |
| Language of Page | Screen readers need the page language to pronounce text correctly |
| Name, Role, Value (ARIA) | Interactive elements must have accessible names — otherwise invisible to assistive tech |
| Status Messages | Dynamic updates (toasts, alerts) must be announced to screen readers via ARIA live regions |
SEO 1 credit
Checks search engine optimization fundamentals for indexing and ranking. 11 checks in 1 profile.
SEO Fundamentals
| Check | What it tests |
|---|---|
| Meta Description | The snippet shown in Google results — missing or poor descriptions reduce click-through rates |
| Document Title | The most important on-page SEO element — appears in search results and browser tabs |
| HTTP Status Code | Non-200 status codes tell search engines your page has problems |
| Descriptive Link Text | 'Click here' tells search engines nothing — descriptive text improves ranking signals |
| Crawlable Links | Links that search engines can't follow mean pages won't be discovered or indexed |
| robots.txt Valid | Invalid robots.txt can accidentally block search engines from your entire site |
| hreflang | Tells search engines which language version to show users in different countries |
| Canonical URL | Prevents duplicate content penalties — tells Google which version of a page is authoritative |
| Image Alt Text | Helps images appear in Google Image search — additional traffic source |
| Font Size Legible | Text smaller than 12px is flagged by Google as a mobile usability issue — affects mobile ranking |
| Tap Targets Sized | Touch targets smaller than 48x48px are hard to tap — Google penalizes this in mobile search |
Quality 1 credit Signed-in users
Runtime hygiene audits from Lighthouse's Best-Practices category — complements the Security scan's static HTTP checks with what Lighthouse observes while the page actually runs. 8 checks across 3 profiles.
Security Runtime
| Check | What it tests |
|---|---|
| HTTPS | Runtime check: final page and every subresource served over HTTPS (catches mixed content Security's static check misses) |
| No Vulnerable Libraries | Runtime detection of loaded JS libraries — catches libs injected after page load that static scans miss |
| CSP XSS Effective | Evaluates the CSP string against known XSS bypass patterns (unsafe-inline, overly-permissive sources) — judges effectiveness, not just presence |
Code Hygiene
| Check | What it tests |
|---|---|
| No Deprecations | Runtime detection of deprecated browser API calls — future-breakage risk |
| Valid Source Maps | Source maps help debug production issues; invalid ones waste bandwidth and confuse stack traces |
| Charset Declared | Missing <meta charset> can cause text rendering issues across browsers and languages |
| Doctype Present | Missing <!DOCTYPE html> triggers quirks mode — inconsistent rendering |
Error Reporting
| Check | What it tests |
|---|---|
| No Console Errors | JavaScript errors logged at runtime indicate broken functionality real users will hit |
Summary
| Category | Profiles | Checks | Cost |
|---|---|---|---|
| Security | 3 | 27 | 1 credit |
| Performance | 2 | 26 | 1 credit |
| Accessibility | 1 | 12 | 1 credit |
| SEO | 1 | 11 | 1 credit |
| Quality Signed-in | 3 | 8 | 1 credit |
| Total | 9 | 84 | 1 credit each |