What Does a Website Audit Include? Complete Breakdown

You have heard you need a website audit. Maybe a marketing agency pitched one, or you read that audits improve SEO. But what actually gets checked? What should the report look like? And how do you tell the difference between a thorough audit and a surface-level scan that misses critical issues?

This article breaks down every component of a professional website audit, explains what each section measures and why it matters, and shows you what a useful audit report looks like — so you know exactly what to expect and what to demand.

The Four Pillars of a Website Audit

A comprehensive website audit covers four distinct areas. Many tools and agencies focus on just one or two. A complete audit addresses all four, because they are interconnected — a security issue can tank your SEO, an accessibility problem can hurt your conversions, and a performance problem can undermine everything else.

1. Performance analysis — How fast and responsive is the site?
2. SEO health check — Can search engines find, crawl, and rank the site effectively?
3. Security assessment — Is the site safe for visitors and resistant to common attacks?
4. Accessibility review — Can all users, including those with disabilities, use the site?

1. Performance Analysis

The performance section measures how quickly your site loads and how responsive it feels to user interactions. This directly impacts user experience, conversion rates, and search engine rankings.

Core Web Vitals

Google's Core Web Vitals are the industry standard for measuring real-world performance. A proper audit measures all three:

• Largest Contentful Paint (LCP): How long until the main content is visible. Good is under 2.5 seconds. This metric reveals issues with server response time, large unoptimized images, render-blocking resources, and slow CDN delivery.
• Interaction to Next Paint (INP): How responsive the page is to clicks, taps, and keyboard input. Good is under 200 milliseconds. Poor INP usually indicates heavy JavaScript blocking the main thread.
• Cumulative Layout Shift (CLS): How much the page content jumps around during loading. Good is under 0.1. Layout shifts are caused by images without dimensions, dynamically injected content, and late-loading fonts or ads.

Additional Performance Metrics

Beyond Core Web Vitals, a thorough performance audit also examines:

• Time to First Byte (TTFB): How quickly the server responds. Under 200ms is good. Slow TTFB points to hosting, server configuration, or backend code issues.
• Total page weight: The combined size of all files (HTML, CSS, JavaScript, images, fonts) required to load the page. Modern best practice is under 2 MB for most pages.
• Number of HTTP requests: Each file the browser needs to download is a separate request. Fewer requests mean faster loading, especially on mobile networks.
• Image optimization: Are images served in modern formats (WebP, AVIF)? Are they properly sized? Are they lazy-loaded below the fold?
• Caching configuration: Are static assets served with appropriate Cache-Control headers so returning visitors do not re-download everything?
• Compression: Is Brotli or GZIP compression enabled for text-based resources?

What the Report Should Show

The performance section of an audit report should include actual metric values (not just pass/fail), comparison to industry benchmarks, identification of the specific resources causing problems, and prioritized recommendations. A report that says "your LCP is 4.2 seconds — fix it" is useless. A good report says "your LCP is 4.2 seconds, caused primarily by a 2.8 MB hero image that is served as PNG instead of WebP and is 3840px wide while the container is 1200px."

2. SEO Health Check

The SEO section evaluates whether search engines can effectively discover, crawl, understand, and rank your pages. This is not about keyword strategy — it is about the technical foundation that makes ranking possible.

Crawlability

• Robots.txt: Is it present? Is it accidentally blocking important pages? Is it allowing access to CSS and JavaScript files that search engines need for rendering?
• XML sitemap: Does it exist? Is it submitted to Google Search Console? Does it include all important pages and exclude thin or duplicate content?
• Crawl errors: Are there 404 pages, redirect chains, or server errors that waste crawl budget?
• Internal linking: Can search engines reach all important pages within a few clicks from the homepage? Are there orphan pages with no internal links?

On-Page SEO Elements

• Title tags: Does every page have a unique, descriptive title under 60 characters? Are important keywords included near the beginning?
• Meta descriptions: Does every page have a compelling meta description under 160 characters that encourages clicks?
• Heading structure: Is there exactly one H1 per page? Are H2s and H3s used to create a logical content hierarchy?
• Image alt text: Do all meaningful images have descriptive alt attributes?
• URL structure: Are URLs clean, readable, and descriptive? Do they avoid unnecessary parameters, session IDs, or meaningless strings?

Technical SEO

• Canonical tags: Are canonical URLs set correctly to prevent duplicate content issues?
• Structured data: Is schema markup implemented correctly? Does it validate without errors?
• Mobile-friendliness: Does the site pass Google's mobile-friendly test? Is the viewport meta tag set correctly?
• HTTPS: Is the entire site served over HTTPS? Are there mixed content warnings?
• Hreflang tags: For multilingual sites, are language annotations implemented correctly?
• Page speed: Overlaps with the performance section but specifically how speed impacts crawl budget and ranking signals.

What the Report Should Show

The SEO section should list every issue found, categorized by severity. Critical issues (broken canonical tags, blocked crawling, missing titles) should be at the top. The report should include the specific URLs affected, the current state, and the recommended fix. A summary count — for example, "14 pages missing meta descriptions, 7 broken internal links, 3 redirect chains" — makes it easy to scope the remediation work.

3. Security Assessment

The security section identifies vulnerabilities that could expose your visitors to risk, get your site blacklisted by Google, or lead to a breach. This section is frequently omitted from cheap or SEO-only audits, but it is essential.

SSL/TLS Configuration

• Certificate validity: Is the SSL certificate current, properly configured, and issued by a trusted authority?
• Protocol version: Is the site using TLS 1.2 or 1.3? Older versions (TLS 1.0, 1.1) have known vulnerabilities.
• Mixed content: Are all resources (images, scripts, stylesheets) loaded over HTTPS? A single HTTP resource triggers browser warnings.
• HTTPS redirect: Does the HTTP version properly redirect to HTTPS with a 301 redirect?

Security Headers

HTTP security headers instruct browsers to enforce specific security policies. A proper audit checks for:

• Content-Security-Policy (CSP): Prevents cross-site scripting (XSS) attacks by specifying which sources of content are allowed.
• X-Frame-Options: Prevents clickjacking by controlling whether the site can be embedded in iframes.
• X-Content-Type-Options: Prevents MIME-type sniffing attacks.
• Strict-Transport-Security (HSTS): Forces browsers to only connect over HTTPS.
• Referrer-Policy: Controls how much referrer information is sent with requests.
• Permissions-Policy: Controls which browser features (camera, microphone, geolocation) the site can access.

Vulnerability Checks

• Outdated software: Are the CMS, plugins, themes, and server software up to date?
• Exposed sensitive files: Are configuration files, backup files, or version control directories accessible?
• Form security: Do forms have CSRF protection? Is input properly validated and sanitized?
• Information disclosure: Does the server reveal its software version in response headers?

What the Report Should Show

Security findings should be rated by severity — critical, high, medium, low. Each finding should explain the risk in plain language ("An attacker could inject malicious scripts that steal visitor data"), not just technical jargon. Remediation steps should be specific and actionable.

4. Accessibility Review

The accessibility section evaluates whether your website can be used by people with disabilities, including those using screen readers, keyboard navigation, or other assistive technologies. Beyond being the right thing to do, accessibility compliance is a legal requirement in many jurisdictions.

What Gets Checked

• WCAG compliance level: Most audits evaluate against WCAG 2.1 or 2.2 Level AA, which is the standard referenced by most accessibility laws.
• Color contrast: Do text and background colors meet minimum contrast ratios (4.5:1 for normal text, 3:1 for large text)?
• Keyboard navigation: Can all interactive elements be reached and operated using only a keyboard?
• Screen reader compatibility: Are ARIA labels, roles, and landmarks used correctly? Do images have alt text? Are form fields properly labeled?
• Focus indicators: Is the keyboard focus visible as a user tabs through the page?
• Heading hierarchy: Are headings used in a logical order (H1 followed by H2, not H1 followed by H4)?
• Link text: Are links descriptive ("Read the full report") rather than ambiguous ("Click here")?
• Media alternatives: Do videos have captions? Do audio files have transcripts?

What the Report Should Show

Accessibility issues should be mapped to specific WCAG success criteria (for example, "Fails 1.4.3 Contrast Minimum"). The report should include the affected elements, their location on the page, and a clear explanation of how to fix each issue. Automated scans catch approximately 30-40% of accessibility issues — a thorough audit supplements automation with manual testing.

How to Read an Audit Report

A well-structured audit report includes:

1. Executive summary: A one-page overview with overall scores or grades for each pillar, the most critical findings, and a recommended action plan.
2. Detailed findings: Each issue described with its location, severity, impact, and specific remediation steps.
3. Prioritization: Issues ranked by a combination of severity and effort. Quick wins (high impact, low effort) should be clearly identified.
4. Benchmarks: How your site compares to industry standards and competitors.
5. Next steps: A clear action plan with timelines.

Be cautious of audit reports that are padded with hundreds of minor warnings to look comprehensive. A good audit distinguishes between issues that genuinely hurt your business and issues that are technically imperfect but practically insignificant.

Get Your Own Website Audit

Now you know what a professional audit should cover. The next step is finding out where your site actually stands. Run a free Claros scan to get an instant audit covering performance, SEO, security, and accessibility — with a clear, prioritized report you can act on immediately. It takes under 30 seconds and requires no account.