Lighthouse Best Practices Guide
Best Practices audits check whether your site follows established web standards for security, browser compatibility, and user experience. Unlike Performance metrics with thresholds and percentiles, these are binary: pass or fail.
A site can score 100 on Performance and still fail Best Practices because of a single console error or missing HTTPS. These audits catch the fundamentals that are easy to overlook but damage user trust.
What Best Practices Measures
The Best Practices score is a simple percentage of passed audits. 12 audits total, each weighted equally. Pass 10 of 12 and you score 83.
These audits fall into three categories:
- Security - Protecting users from attacks and data theft
- Browser Compatibility - Ensuring your site works across browsers and devices
- User Experience - Respecting user expectations and avoiding dark patterns
Security Audits
Security audits verify your site protects users from common attack vectors.
| Audit | What It Checks | Why It Matters |
|---|---|---|
| Uses HTTPS | Page loaded over secure connection | Prevents man-in-the-middle attacks, required for modern APIs |
| Redirects HTTP to HTTPS | HTTP requests redirect to HTTPS | Ensures users always land on secure version |
HTTPS is non-negotiable in 2025. Browsers flag HTTP sites as "Not Secure," many APIs refuse to work, and SEO suffers. If you're still on HTTP, this is priority zero.
Browser Compatibility Audits
These audits check that your site works correctly across browsers and leverages modern web platform features.
| Audit | What It Checks | Why It Matters |
|---|---|---|
| bfcache eligible | Page can use back/forward cache | Instant back navigation, better UX |
| Valid charset | Character encoding declared properly | Prevents garbled text, accessibility issues |
| Valid DOCTYPE | HTML5 doctype present | Standards mode rendering, predictable behavior |
| Avoids deprecated APIs | No deprecated browser APIs used | Future-proofing, avoiding breaking changes |
The bfcache audit is particularly impactful. When eligible, back/forward navigation is instant—the browser restores the page from memory rather than reloading. Users expect this behavior and notice when it's broken.
User Experience Audits
UX audits catch patterns that frustrate users or violate their expectations.
| Audit | What It Checks | Why It Matters |
|---|---|---|
| No browser errors | Console free of errors | Errors indicate broken functionality |
| No geolocation on start | Geolocation not requested on load | Permission requests need user context |
| No notification on start | Notifications not requested on load | Same principle—context before permission |
| Allows paste in passwords | Password fields allow pasting | Password managers need paste support |
| Proper image sizing | Images sized appropriately for display | Prevents blurry or wasteful images |
| Correct aspect ratios | Images maintain aspect ratio | Prevents distorted images |
| No DevTools issues | No issues flagged by DevTools | Catches various browser-detected problems |
The permission audits reflect a broader principle: never ask for permissions without user context. A geolocation prompt on page load feels invasive. The same prompt after clicking "Find stores near me" makes sense.
Scoring
Best Practices scoring is straightforward:
- 100 - All audits pass
- 92 - 11 of 12 pass
- 83 - 10 of 12 pass
- 75 - 9 of 12 pass
Each failed audit drops your score by about 8 points. Unlike Performance where partial improvements help, Best Practices is all-or-nothing per audit.
Important: A single console error drops you to 92. A missing HTTPS redirect drops you to 92. These are easy to miss during development but show up in production.
Common Failure Patterns
Third-party scripts: Ad networks, analytics, and widgets often throw console errors or use deprecated APIs. You can't always fix these, but you can choose better vendors or load scripts conditionally.
Development leftovers: Debug logging, test console.log statements, and uncaught promise rejections that worked fine locally but fail in production.
Legacy code: Old APIs that still work but are deprecated. The site functions, but the audit fails. Refactoring takes time but avoids future breakage.
Eager permission requests: Marketing pressure to prompt for notifications immediately. This tanks user trust and fails the audit. Delay permission requests until users demonstrate intent.
How to Diagnose Issues
Chrome DevTools:
- Open DevTools → Console tab
- Look for red errors (not warnings)
- Check Issues tab for browser-detected problems
- Run Lighthouse audit from Lighthouse tab
Key things to check:
- Any JavaScript errors in console?
- Any deprecation warnings?
- What permission prompts appear on load?
- Is the page served over HTTPS?
- Does HTTP redirect to HTTPS?
All Best Practices Issues
Quick reference for every audit:
| Audit | Category | Fix Guide |
|---|---|---|
| Uses HTTPS | Security | Fix |
| Redirects HTTP to HTTPS | Security | Fix |
| bfcache eligible | Browser | Fix |
| Valid charset | Browser | Fix |
| Valid DOCTYPE | Browser | Fix |
| Avoids deprecated APIs | Browser | Fix |
| No browser errors | UX | Fix |
| No geolocation on start | UX | Fix |
| No notification on start | UX | Fix |
| Allows paste in passwords | UX | Fix |
| Proper image sizing | UX | Fix |
| Correct aspect ratios | UX | Fix |
| No DevTools issues | UX | Fix |
Test Your Entire Site
The home page might pass Best Practices while blog posts throw console errors. The checkout flow might request permissions inappropriately. Dynamic pages might have image sizing issues that static pages don't.
Unlighthouse scans your entire site and surfaces Best Practices scores for every page. You'll find console errors on obscure pages, permission prompts you forgot about, and deprecated APIs in legacy sections.
The CLI is free and runs locally. Cloud adds scheduled monitoring to catch regressions—like when a third-party script update breaks your score.