Back to SiteAuditLab

Documentation

Everything you need to know about using SiteAuditLab.

Overview

SiteAuditLab is a website auditing and monitoring platform. It combines instant one-off scans with persistent monitoring — uptime checks, scheduled audit reports, and GA4 event assertions — all in one place.

Scans are non-intrusive and performed server-side. No browser extensions, no agents, and no changes are made to your website. We analyse HTTP responses, headers, and page content only.

Scan categories

8 categories

Scan time

~5–15 seconds

Checks per scan

30+ checks

What you can do

  • Instant scan — scan any public URL with no account required
  • Scan history — save every report and track grade changes over time (sign-in required)
  • Uptime monitoring — 24/7 availability checks with email alerts
  • Browser monitors — scheduled headless browser checks that capture events, cookies, and network requests across multi-step user journeys
  • Scheduled reports — automated full-site audits delivered to your inbox on a schedule
  • Bulk scanning — scan up to 20 URLs in a single request
  • Compare sites — side-by-side grade comparison between any two URLs
  • PDF export — download any report as a printable PDF
  • API access — programmatic access via API keys

How It Works

When you submit a URL, SiteAuditLab performs the following steps:

  1. Normalises the URL (adds https:// if no protocol is provided)
  2. Makes an HTTP GET request to the target URL, following redirects
  3. Analyses response headers, status codes, and response time
  4. Parses the HTML body for meta tags, scripts, links, and content
  5. Runs each selected scan category against the collected data
  6. Calculates scores, assigns grades, and stores the report

Scans do not execute JavaScript (in the standard scan mode), load external resources, or perform any intrusive testing. They are read-only and safe to run against production sites.

Advanced: Custom request headers

Authenticated users can pass custom HTTP headers with each scan request — useful for scanning pages behind a login, preview environments, or CDN-cached routes. Expand the Advanced options panel in the scan input to add headers such as:

Cookie: session_id=abc123; _ga=GA1.2.xxx
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...
X-Preview-Token: my-preview-secret

Scan Categories

Security

Checks HTTP security headers, SSL/TLS configuration, and exposed sensitive information.

  • Content-Security-Policy (CSP) — presence and key directives
  • Strict-Transport-Security (HSTS) — max-age and preload
  • X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • Server version disclosure in response headers
  • Mixed content detection
  • Exposed sensitive paths (/.env, /wp-config.php, /.git, etc.)
  • CORS policy configuration

Performance

Analyses response speed, content size, and resource optimisation.

  • Time to First Byte (TTFB)
  • Response compression (gzip / brotli)
  • Cache-Control header configuration
  • Total page weight estimation
  • Render-blocking inline scripts and styles
  • CDN presence detection

SEO

Reviews on-page SEO signals from the HTML content.

  • Title tag — presence, length, and uniqueness signals
  • Meta description — presence and optimal length
  • Canonical URL configuration
  • Open Graph and Twitter Card tags
  • Heading structure (H1/H2 presence and order)
  • robots.txt and XML sitemap references
  • Structured data (JSON-LD) detection
  • Hreflang tags for internationalised sites

Uptime

Verifies the site is reachable and responding correctly.

  • HTTP status code check
  • HTTPS redirect from HTTP
  • Response time measurement
  • Redirect chain analysis (flags excessive hops)
  • SSL certificate expiry check

Analytics / GA4

Detects analytics and tracking tools in the page source and flags misconfigurations.

  • Google Tag Manager (GTM-XXXX) and GA4 (G-XXXXXXXXXX) detection
  • Universal Analytics / legacy GA (UA-XXXXX-X)
  • Google Ads, Meta Pixel, Segment, Hotjar, Mixpanel, Microsoft Clarity
  • Consent mode configuration (v1 / v2)
  • dataLayer.push() event names found in source
  • Third-party analytics network requests

Tech Stack

Fingerprints the technology powering the site.

  • JavaScript frameworks (React, Vue, Angular, Next.js, Nuxt, etc.)
  • CMS platforms (WordPress, Shopify, Webflow, etc.)
  • CDN and hosting provider detection
  • Build tool signatures (Vite, Webpack, Parcel)
  • 50+ detectable technologies with confidence ratings

Accessibility

Checks key WCAG 2.1 AA signals from the HTML source.

  • Image alt text presence
  • Heading hierarchy (no skipped levels)
  • Form input labels and ARIA associations
  • Language attribute on <html>
  • Skip navigation link presence
  • ARIA landmark roles
  • Link text quality (detects "click here" and unlabelled icon links)

Privacy & GDPR

Flags tracking practices and compliance signals.

  • Consent management platform (CMP) detection
  • 11+ third-party tracker inventory
  • Privacy policy link presence
  • Cookie security flags (Secure, HttpOnly, SameSite)
  • Browser fingerprinting script detection
  • Mixed-content warnings

Grading System

Each category starts at a base score of 100. Points are deducted for each finding by severity, with diminishing returns to prevent a single issue from dominating the score. The overall score is a weighted average across all active categories.

Critical

−15 pts (first 3) −5 pts (each beyond)

Warning

−5 pts (first 5) −2 pts (each beyond)

Info

0 pts — informational only

Pass

+1 pt per check (capped at +10)

Category weights for the overall score:

  • SEO — 30%
  • Performance — 22%
  • Security — 20%
  • Accessibility — 12%
  • Uptime — 8%
  • Privacy / GDPR — 8%
  • Analytics — informational only (no weight)
  • Tech Stack — informational only (no weight)

When a category is not included in a scan, its weight is redistributed proportionally among the active categories.

Letter grades: A+ (≥95), A (≥90), A− (≥85), B+ (≥80), B (≥75), B− (≥70), C+ (≥65), C (≥60), C− (≥55), D (≥45), F (<45).

Rate Limits

Account typeScans / dayNotes
Anonymous (no sign-in)5Per IP address
Authenticated user100Per account; API key access included

Rate limit windows reset every 24 hours from the time of the first request in the window.

Bulk scans (up to 20 URLs) count as one request per URL against your daily limit. Anonymous bulk scans are capped at 5 URLs; authenticated users can scan up to 20.

Uptime Monitoring

Uptime monitors continuously check whether your site is reachable and send an immediate email alert when it goes down or recovers.

Setting up a monitor

  1. Sign in and open the Dashboard
  2. Select a site from My Sites, then open the Automations tab
  3. Under Uptime Monitoring, click Add Monitor
  4. Enter the URL and the email address for alerts

How it works

  • Monitors probe your URL on a regular schedule (default: every 5 minutes via cron)
  • An alert email is sent on the first failed check and again on recovery
  • The monitor card in your dashboard shows current status and response time history
  • You can pause or delete a monitor at any time

Browser Monitors

Browser monitors run a real headless browser on a schedule, execute a sequence of user interactions (clicks, form fills, navigation), and capture every event, cookie, and network request that fires. Get alerted the moment behaviour changes.

When to use this

  • Verify a purchase event fires after your checkout flow completes
  • Assert add_to_cart fires when clicking the add-to-cart button
  • Confirm consent mode is active before any tracking pixels load
  • Catch tag manager changes that accidentally break existing events

Steps

Each monitor defines a sequence of browser actions. Available step types:

actionrequired fieldsdescription
navigateurlLoad a URL in the browser
clickselectorClick a CSS selector
fillselector, valueType into an input field
waitmsPause for N milliseconds (max 5000)
scrollselector (optional)Scroll to element or page bottom
hoverselectorHover over an element
submitselectorPress Enter on a form element

Assertions

Assertions define which events must fire. A monitor fails if any required: true event is not detected. Enter one assertion per line in the builder:

purchase
add_to_cart
begin_checkout

What gets captured

  • All dataLayer.push() events in real time
  • All gtag() event calls
  • Network requests to GA4, GTM, Meta Pixel, LinkedIn, TikTok, and other analytics endpoints
  • All cookies set after each step
  • A screenshot after every step
  • A full session recording (.webm video) stored for later playback

Alert email

When a monitor fails, an alert email lists the missing events, the events that were captured, and a link to the full run detail — including step-by-step screenshots and the session recording.

Scheduled Reports

Scheduled reports run a full audit of your site on a repeating schedule and email the results to you automatically.

Setting up a schedule

  1. Sign in and open the Dashboard
  2. Navigate to the Automations sidebar section
  3. Under Scheduled Audit Reports, click New Schedule
  4. Enter the target URL, select frequency (daily / weekly / monthly), scan categories, and your email

Report email

Each scheduled run sends a summary email with grade badges per category, a list of critical and warning findings, and a link to the full report. If the grade drops since the last run, the email highlights which categories changed.

Bulk Scanning

Bulk scanning lets you audit multiple URLs in a single operation — useful for agencies, site migrations, or comparing multiple pages of the same domain.

Dashboard UI

In the dashboard sidebar, open Bulk Scan. Paste up to 20 URLs (one per line) and click Run Bulk Scan. Results show the grade and a link to the full report for each URL.

API

Bulk scans are also available via the API:

POST /api/scan/bulk

{
  "urls": [
    "https://example.com",
    "https://example.com/pricing",
    "https://example.com/blog"
  ],
  "categories": ["security", "performance", "seo", "uptime"]
}

// Response
{
  "scanned": 3,
  "succeeded": 3,
  "failed": 0,
  "results": [
    {
      "url": "https://example.com",
      "ok": true,
      "reportId": "clxxx",
      "results": { "overallGrade": "B+", "overallScore": 82, ... }
    }
  ]
}

URL limits: anonymous: 5 URLs authenticated: 20 URLs

Compare Sites

The Compare tool lets you scan two URLs simultaneously and view a side-by-side grade breakdown across all categories. Useful for:

  • Benchmarking your site against a competitor
  • Comparing before/after a major deployment
  • Auditing two versions of a page (e.g., staging vs. production)

Each site in the comparison is scanned independently — both reports are saved to your history and shareable.

API Reference

All endpoints are available for programmatic access. Authenticate using an API key or a session cookie.

Authentication

Generate an API key in Dashboard → API Keys. Pass it in the Authorization header:

Authorization: Bearer sal_live_xxxxxxxxxxxxxxxx

POST /api/scan

Run a single-URL scan.

{
  "url": "https://example.com",
  "categories": ["security", "performance", "seo", "uptime", "analytics"],
  "customHeaders": { "Cookie": "session=abc" }  // optional
}

// Response
{
  "reportId": "clxxxxxxxxxxxxx",
  "results": {
    "url": "https://example.com",
    "overallScore": 84,
    "overallGrade": "B",
    "scannedAt": "2026-03-21T10:30:00.000Z",
    "security":     { "score": 72, "grade": "C+", "findings": [...] },
    "performance":  { "score": 91, "grade": "A-", "findings": [...] },
    "seo":          { "score": 88, "grade": "B+", "findings": [...] },
    "uptime":       { "score": 100, "grade": "A+", "findings": [...] },
    "analytics":    { "tags": [...], "dataLayerEvents": [...] },
    "a11y":         { "score": 78, "grade": "C+", "findings": [...] },
    "privacy":      { "score": 85, "grade": "B",  "findings": [...] },
    "techstack":    { "detections": [...] }
  }
}

POST /api/scan/bulk

Scan up to 20 URLs in one call. See the Bulk Scanning section for the full request/response shape.

POST /api/scan/headless

Run a one-time headless browser scan to capture GA4 events, cookies, and analytics network requests in real time. Requires authentication.

{
  "url": "https://example.com/checkout",
  "steps": [
    { "action": "click", "selector": "#add-to-cart" },
    { "action": "wait",  "ms": 1000 }
  ],
  "captureScreenshots": true,
  "recordVideo": false
}

// Response
{
  "url": "https://example.com/checkout",
  "capturedEvents":  [{ "event": "add_to_cart", "params": {...}, "ts": 1711024200000 }],
  "capturedCookies": [{ "name": "_ga", "value": "GA1.2...", "domain": ".example.com" }],
  "networkHits":     [{ "url": "https://www.google-analytics.com/g/collect?...", "method": "POST" }],
  "screenshots":     [{ "stepIndex": 0, "label": "Page load", "dataUrl": "data:image/png;base64,..." }],
  "videoUrl":        null,
  "eventCount":      3,
  "durationMs":      4821
}

GET /api/scans

Paginated scan history for the authenticated user.

GET /api/scans?page=1&limit=20

{
  "scans": [
    {
      "id": "clxxxxxxxxxxxxx",
      "url": "https://example.com",
      "overallGrade": "B",
      "overallScore": 84,
      "createdAt": "2026-03-21T10:30:00.000Z"
    }
  ],
  "total": 47,
  "page": 1,
  "pages": 3
}

GET /api/badge/[reportId]

Returns an SVG badge showing the grade and score for a report. Embed it in a README or website:

<img src="https://siteauditlab.com/api/badge/clxxxxxxxxxxxxx" alt="SiteAuditLab grade" />

The badge is publicly accessible. No authentication required.

GET /api/pdf/[reportId]

Returns a print-ready HTML page for the report. Open in a browser and use File → Print → Save as PDF, or use the Print / Save PDF button on the page itself.

GET /report/[reportId]

Every scan generates a shareable public report URL. These links are accessible to anyone with the URL and are not indexed or discoverable.

FAQ

Will scanning my site affect its performance or logs?

Standard scans make a single HTTP GET request to your URL — identical to any regular visitor. There is no load testing, repeated polling, or form submission. Headless scans (for GA4 event capture) launch a real browser session, which will appear as a single user visit in your analytics.

Can I scan any website?

You should only scan websites you own or have permission to scan. Scanning third-party sites without authorisation may violate their terms of service.

Why is the Analytics category only available to signed-in users?

Analytics detection requires parsing the full page HTML, which is a more resource-intensive operation. We restrict it to authenticated users to maintain service quality for everyone.

How do browser monitors differ from a standard scan?

A standard scan uses a static HTTP fetch and parses the HTML source — it can detect tags hardcoded in the page, but cannot see events that fire after user interactions. Browser monitors launch a real headless browser, execute your defined steps (clicks, form fills, navigation), and capture every event, cookie, and network request in real time.

Are scan reports public?

Each report has a shareable link that anyone can view if they have the URL. Reports are not indexed or discoverable — only people you share the link with can access them.

What does the grade badge look like?

The badge is a minimal SVG showing your grade letter and score (e.g., "B+ · 82/100") in SiteAuditLab's brand colours. Fetch it from /api/badge/[reportId] and embed it anywhere that renders HTML or Markdown.

How do I delete my data?

You can delete your account and all associated data from Dashboard → Settings. Deletion removes all scan reports, monitors, schedules, and API keys immediately.