Website Best Practices Checker

What the Best Practices audit checks

Lighthouse's Best Practices category covers about 15 checks that every modern site should pass:

Security & privacy

• HTTPS — site is served over a secure connection
• No mixed content — no http:// resources on an https:// page
• No target="_blank" without rel="noopener" — prevents tabnabbing
• No vulnerable JavaScript libraries — checks against a known-vuln database
• Content Security Policy (CSP) — if configured, must be effective

Correctness

• No browser console errors — page loads without throwing
• No deprecated APIs — no calls to APIs Chrome plans to remove
• Page has the right doctype — <!DOCTYPE html>
• Correct charset declaration
• Images displayed at the correct aspect ratio — not distorted
• Images served with the right resolution — not over- or under-scaled

UX & accessibility hygiene

• Passive listeners on scroll/touch events for smoother scrolling
• Notification permission requested correctly — not on page load
• Geolocation permission requested correctly — not on page load

The two most common failures

1. Console errors

Open DevTools → Console. Every uncaught error, deprecation warning, or 404 lowers your score. The fixes are usually trivial — a misspelled asset URL, a missing favicon, a tracking pixel that 404s, a CORS error from a removed third party. Five minutes of cleanup typically pushes you back to 100.

2. Vulnerable JS libraries

This usually means an old version of jQuery, Lodash, or Bootstrap loaded from your CMS or a legacy plugin. Either upgrade to a current version or remove the dependency.

Why this score matters even though it's not a ranking factor

Lighthouse Best Practices isn't directly used by Google for ranking. But:

• Console errors suggest broken features and lower trust
• Vulnerable libraries expose users to XSS and supply-chain attacks
• Mixed content breaks page functionality in modern browsers
• Deprecated APIs will literally stop working in future Chrome releases

A site that passes Best Practices is a site that won't surprise you in six months.

Quick wins

1. Open Chrome DevTools → Console → reload the page → fix every red message
2. Upgrade jQuery (if you use it) to 3.x
3. Add rel="noopener noreferrer" to every external link with target="_blank"
4. Replace any http:// URLs in your HTML with https://
5. Don't request notification or geolocation permission on page load — wait for a user gesture

Run the checker below to get your current score and the exact list of fixes.