Back to the audit
Methodology & Reference Standards

How SiteAudit works,
and why the results are real.

An automated review of three independent dimensions of your website: visual design, code quality, and frontend performance. The tool captures the live page exactly as a visitor sees it and compares the captured state against the specifications, guidelines, and measurement methodologies that govern the modern web.

01 / What gets reviewed

Three independent passes, three reference standards.

Each pass evaluates different evidence against different specifications. None of them know each other's scores. A weak signal in one cannot drag the others into agreement.

Visual / Aesthetic

Reviewed against established design principles: typographic hierarchy, contrast, whitespace, layout grids, and imagery composition. These principles are codified in the major published design systems and reinforced by accessibility specifications.

Reference standards
Material Design Apple HIG IBM Carbon WCAG 2.2

Code Quality

Checked against the language and markup specifications themselves: served HTML and CSS are parsed and measured, semantic structure is verified, accessible markup patterns are evaluated. The site's build platform is identified deterministically before scoring begins.

Reference standards
W3C HTML WHATWG W3C CSS WAI-ARIA ECMAScript

Frontend Performance

Measured with real browser instrumentation. Chromium captures load timing, network requests, JavaScript execution time, layout shift, and resource sizing on the live page. The numbers in the report are computed from that capture, not estimated.

Reference standards
Core Web Vitals LCP / INP / CLS web.dev RFC 9110
02 / What you get back

A real report, not a vibes summary.

Every audit produces the same set of deliverables. Numbers you can defend. Findings you can act on. Citations you can verify.

01
Three independent scores
Visual, code, and performance scored 0 to 10. Each from its own pass.
02
Categorized findings
Critical issues, improvements, and strengths. Each with plain-English explanation.
03
Fix-priority roadmap
The recommended order to address issues, weighted by impact and effort.
04
Evidence breakdown
Developer-ready measurements showing exactly how each score was reached.
~2 min
Full audit duration
3
Independent score passes
100%
Real browser instrumentation
0
Made-up numbers

Not another AI gimmick.

You've seen them. Someone wires up a single API call to GPT, slaps a logo on it, and ships an "AI website auditor" in a weekend. The output reads like a horoscope: vague praise, generic platitudes. Hit refresh and the scores change. SiteAudit isn't that.

Vibe-coded AI tool

One prompt. One model. Whatever it says.

  • Single AI call decides every score
  • Same input, different reports each run
  • No platform context, treats every site the same
  • Performance numbers borrowed from someone else's API
  • Browser is trusted, results are tamperable
  • Findings can't be verified against any source
VS
SiteAudit

Real measurements. Cited specifications.

  • Three independent passes, different evidence each
  • Same input produces the same scores, every run
  • Build platform identified deterministically first
  • Performance measured by a real browser, in real time
  • Server holds the authoritative audit record
  • Every finding traces to a public, citable standard
01 / Independent passes

Three reviews, not one prompt

A typical AI auditor sends one prompt to one model and pastes the response into a template. SiteAudit runs three separate analysis passes, each grounded in different evidence and scored against different reference standards.

The visual review evaluates what a human eye sees in a real screenshot. The code review reads the actual served HTML, CSS, and JavaScript. The performance review takes real measurements from a real browser. None of these passes know each other's scores.

02 / Deterministic fingerprinting

Build Origin is detected, not guessed

Before any AI runs, a dedicated classifier identifies what built the site: WordPress, Shopify, Wix, Squarespace, Webflow, Duda, Magento, custom code. It matches dozens of fingerprints: DOM signatures, HTTP header patterns, theme file paths, JavaScript globals, platform-specific markup quirks.

It's deterministic pattern matching, not inference. The same site gets the same classification every time, with cited evidence. The same way a malware scanner identifies a known signature.

03 / Performance is measured

Real Chromium, not someone else's API

This is where most AI tools quietly fail. A "Google Core Web Vitals" API call returns lab data from Google's own crawl, which may be days or weeks stale, sampled from a different geography, telling you nothing about the page state a real visitor sees right now.

SiteAudit doesn't ask Google. It launches a real Chromium browser through Playwright, navigates to your URL, and instruments the entire page load: every network request, every paint event, every script execution, every layout shift, every byte.

04 / Hostile-input architecture

The browser is treated as untrusted

A weekend AI tool slaps a URL into a fetch and trusts whatever comes back. That's how you get auditors that can be tricked into scanning internal admin panels or cloud metadata endpoints. SiteAudit ships with multi-layer SSRF protection: pre-DNS validation, request interception, post-redirect re-validation.

When the audit completes, the results aren't trusted from the browser either. The server holds the authoritative audit record. Most AI-tool clones happily accept whatever JSON the browser POSTs back.

05 / Reproducibility

Same input, same score, every run

Run SiteAudit twice on the same unchanged page and you get the same scores within measurement noise. That sounds obvious until you compare it to single-prompt AI tools where the same input produces wildly different reports.

SiteAudit's scores are reproducible because the measurements are deterministic and the AI is only describing what the measurements say, not inventing scores out of thin air.

06 / Citation chain

Every finding has a source

When the report flags a contrast issue, it traces to WCAG 2.2 SC 1.4.3. A missing <title> traces to HTML Living Standard § 4.2.2. A CLS score above 0.1 traces to the published Core Web Vitals thresholds. Schema.org markup is validated against schema.org's own published types.

You can look every finding up yourself. Not because we want to be defensible in court, but because that's how an auditor should be built: every claim grounded in a public, citable specification.

TL;DR
A vibe-coded AI tool is a thin wrapper around a language model trying to sound authoritative about your website. SiteAudit is an instrumented browser doing real measurements against published web standards, with a classifier that ID's your build, with an AI that explains the findings in plain English instead of inventing them, with a server that doesn't trust the browser, with reproducible scores, and with citations for every claim.
// Ready when you are

Run an audit on your site.

Free, no signup. Drop in a URL and we'll capture the live page, run the three passes, and hand you back a report with citations.

Run audit