usability.cat Documentation

Getting Started

What is Usability Cat?How Scans Work Understanding Your Results Improving Your Score

UI/UX Guide

Why UI/UX Matters Typography Color & Contrast Layout & Spacing Navigation Forms & Inputs

Security

Why Security Matters HTTPS & Security Headers Common Vulnerabilities Dependencies

Accessibility

Accessibility Issues Missing Skip-to-Content Link Missing or Broken Heading Hierarchy Missing Form Labels Low Color Contrast Missing Alt Text on Images Missing ARIA Labels Keyboard Inaccessible Elements Missing Language Attribute Screen Reader Issues Decorative SVG Issues No Reduced Motion Fallback Stateful Controls Missing ARIA States Deprecated HTML Elements Missing Required Field Indicators

Navigation

Navigation Issues Missing Navigation Menu Missing Landmark Elements Missing Breadcrumbs Missing Call-to-Action Small Touch Targets Poor Focus Management Missing Footer Missing Search Functionality Missing Back Navigation

Visual Design

Visual Design Issues Poor Visual Hierarchy Inconsistent Spacing Inconsistent Typography Inconsistent Colors Dark Mode Issues Cluttered Layout Unfinished Appearance

Forms

Form Issues Form Validation Issues Form Layout Issues Missing Input Types Placeholder Text as Label Email Capture Missing

Content & Readability

Content & Readability Issues Poor Text Readability Text Too Small Poor Line Spacing Content Too Wide Missing Meta Description

Performance

Performance Issues Excessive DOM Size Heavy Inline Styles Missing Image Dimensions Missing Lazy Loading Render-Blocking Resources Large JavaScript Bundle Unoptimized Images Table-Based Layout

Mobile

Mobile Issues Missing Mobile Navigation Poor Touch Ergonomics Viewport Meta Issues Missing Safe Area Insets Poor Mobile Text Legibility Poor Responsive Design

Security

Security Issues Dangerous innerHTML Usage Missing CSRF Protection Exposed Source Maps Exposed API Keys Unrestricted File Upload Insecure Dependencies document.write() Usage Sensitive Data in localStorage Insecure API Calls (HTTP)

Issue Wiki

Security Issues

The cat sniffs out exposed API keys, XSS vulnerabilities, missing CSRF protection, and other security issues.

The cat sniffs out exposed API keys, XSS vulnerabilities, missing CSRF protection, and other security issues hiding in your code.

Dangerous innerHTML UsageLetting strangers write on your whiteboard — that's what unsanitized innerHTML does. It opens the door to cross-site scripting attacks.
document.write() UsageRewriting the entire page while someone is reading it — that's what document.write() does. There are much better ways to update the DOM.
Exposed API KeysWriting your PIN on the back of your debit card — that's what hardcoding API keys in client-side code does. Anyone can see them.
Exposed Source MapsPublishing the blueprint of your house online — that's what leaving source maps in production does. Attackers can read your entire codebase.
Insecure API Calls (HTTP)Sending a postcard instead of a sealed letter — that's what HTTP API calls do. Anyone between you and the server can read everything.
Insecure DependenciesBuilding your house with recalled materials — that's what happens when your npm packages have known vulnerabilities. Audit and update them.
Sensitive Data in localStorageSticky note with passwords on your monitor — that's what storing secrets in localStorage looks like. Anyone who walks by can read them.
Missing CSRF ProtectionLeaving your car unlocked with the engine running — that's a form without CSRF protection. Anyone can take it for a ride.
Unrestricted File UploadA mailbox that accepts packages of any size with no screening — that's file upload without restrictions. Time to add some rules.

Poor Responsive Design

Furniture that doesn't fit through the door — that's your desktop layout crammed onto a mobile screen. Make it adapt properly.

Dangerous innerHTML Usage

Letting strangers write on your whiteboard — that's what unsanitized innerHTML does. It opens the door to cross-site scripting attacks.