Coverage library

What the spider actually tests.

Not a features list — the real checks that run against products like yours. Every topic below ships as an automated suite: UI flows in a real browser, contracts against the API, re-run on every deploy.

Auth & sessions

The flows that lock users out when they break — and the ones attackers try first. The spider drives real sign-ins with test accounts and checks every unhappy path.

  • Sign-up with valid / already-used / malformed emails
  • Login, logout, session expiry and refresh
  • Password reset end-to-end, including the email link
  • Redirect back to the intended page after login
  • Rate limiting and error copy on repeated failures

Checkout & payments

Revenue flows get the deepest coverage. Sandbox cards, declined payments, abandoned carts — tested on staging, never against real money.

  • Add to cart → checkout → sandbox payment → confirmation
  • Declined card, expired card and 3DS challenge paths
  • Prices, taxes and totals consistent between pages and API
  • Coupons, empty carts and quantity edge cases
  • Order confirmation email and webhook delivery

API contracts — REST & GraphQL

Most regressions ship in the backend and surface later. Contract checks catch them in seconds, before any UI test would even load.

  • Response shape and status codes for every public endpoint
  • Auth boundaries: expired tokens, missing scopes, other users’ data
  • Error bodies stay machine-readable (no HTML in a JSON API)
  • Pagination, filtering and sorting behave under real data volumes
  • Breaking-change detection against the previous contract

Forms & validation

Every form is a contract with your users. The spider fills them like a hurried human — wrong, empty, pasted and double-submitted.

  • Required-field and format validation, client and server side
  • Double-submit protection and loading states
  • Unicode, emoji and very long input values
  • Error messages point at the actual broken field
  • Success states, redirects and notifications after submit

Roles & permissions

The bugs nobody notices until a customer sees another customer’s data. Role-based checks run as different users against the same resources.

  • Viewer / editor / admin see exactly what they should
  • Direct-URL access to restricted pages is denied
  • API objects owned by other accounts are unreachable
  • Downgraded users lose access immediately

Files & uploads

Uploads fail in creative ways. The spider brings the whole zoo of files.

  • Supported formats upload, render and download intact
  • Oversized and zero-byte files fail with a clear message
  • Wrong extensions and MIME mismatches are rejected
  • Progress, cancel and retry behave under a slow network

Web3 & smart contracts

dApps break in ways classic suites never see — a UI that quietly disagrees with the chain. The spider tests both sides of the bridge, with emulated wallets and no real funds.

  • Wallet connect, network switch and signing — including reject paths
  • Contract calls against testnets and forked mainnet: state, reverts, events
  • Rendered balances and positions match actual on-chain state
  • Gas-estimation failures and pending-transaction UI states
  • Indexer / subgraph consistency with chain events

Performance smoke

Not a load test — a tripwire. The spider tracks response times per page and endpoint and flags regressions against the baseline.

  • Page-load and API latency baselines per route
  • Console errors and failed network requests on every page
  • Payload-size regressions (the accidental 4 MB bundle)
  • Third-party outages detected and excluded from your score

Want this list, but for your product?

Drop your URL on the homepage — the spider drafts a coverage plan for your actual pages in about a minute.

Analyze my site →