Test reference

Permissive CSP (unsafe-inline, unsafe-eval, wildcard, no object-src/base-uri/frame-ancestors).

Strict CSP with nonces, no unsafe-* directives.

Load http:// resources on this https:// page.

All resources loaded over https://.

Strip HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.

All six recommended security headers present.

Set a tracking cookie without Secure/SameSite/HttpOnly.

No tracking cookies set without consent.

Omit Cache-Control entirely on the HTML document.

Sensible Cache-Control (private, no-store).

Reflect any Origin with Access-Control-Allow-Credentials: true.

No CORS headers on HTML document.

Drop title, meta description, H1, canonical, and OG tags.

Title, description, H1, canonical, and full OG present.

3 chained 302 redirects before reaching the page.

Direct 200 response, no redirects.

Malformed JSON-LD (broken JSON + missing required fields).

Valid Organization + WebSite JSON-LD.

Sitemap includes URLs that return 404. Orphan pages not linked from nav.

All sitemap URLs resolve. All pages reachable from navigation.

Remove viewport meta, force 1400px wide layout.

Standard responsive viewport.

Placeholder-only inputs, low contrast, missing alt, no button role.

Labelled inputs, sufficient contrast, proper semantics.

Keyboard traps, missing skip links, broken focus order, missing landmarks.

Skip link, proper landmarks, logical focus order, no keyboard traps.

/sample page with dead internal + external links.

/sample page with all valid links.

Heavy legacy-format image, no lazy loading, no alt text.

Modern, lazy-loaded, properly sized image with alt.

Deliberately invalid HTML (orphan tags, duplicate IDs).

Clean, validator-friendly HTML5.

No manifest.json, no touch icons, no theme-color meta.

Web manifest, apple-touch-icon, theme-color present.

Layout shift elements, huge unoptimized hero, render-blocking inline styles.

Stable layout, optimized assets, no CLS triggers.

Server-side delay of ~3 seconds.

Sub-200ms server response.

Four heavy render-blocking third-party scripts in <head>.

No third-party scripts.

Hosting-level — cannot be controlled at page level.

HTTP/2 over TLS.

Page layout breaks: wrong fonts, shifted elements, broken colors, misaligned grid.

Clean, stable layout matching the visual baseline.

Broken GTM container, render-blocking, no consent mode, no GA4.

No tracking on this page (clean baseline).

Form POSTs to stub that always returns 200, no validation.

Required-field validation, honeypot, server-side check.

/contact page with no HTTPS form action, missing fields, no spam protection.

/contact page with proper form, validation, honeypot, HTTPS action.

Respond 200 for /.env, /.git/HEAD, /wp-admin, /backup.sql.

All sensitive paths return 404.

Block all crawlers (Disallow: /) or return empty file.

Sensible rules with Sitemap reference.

Broken XML with invalid URLs and bad lastmod dates.

Valid XML sitemap with fresh sample URLs.

No llms.txt, AI crawlers blocked in robots.txt.

Valid llms.txt + llms-full.txt, AI crawlers allowed.

/api/health returns 503 with degraded status.

/api/health returns 200 with all services healthy.

/api/health responds with ~2 second delay.

/api/health responds in under 100ms.

/api/graphql exposes full schema via introspection query.

/api/graphql blocks introspection (403).

HTML contains debug comments, console.log leaks, version strings, TODO markers.

Clean production HTML with no debug artifacts.

Thin content, no clear headings, no source attribution, no factual structure.

Citation-friendly content with clear headings, facts, sources, and structure.

No platform-specific AI signals (missing FAQ schema, no how-to markup, thin content).

FAQ + HowTo structured data, citation-friendly headings, AI platform signals.