The latest articles on DEV Community by Norbert Takács (@technorbidev). https://dev.to/technorbidev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3757367%2F2cf4f82e-e510-4cd2-adcb-ca8617e248e1.jpeg https://dev.to/technorbidev en Norbert Takács Fri, 06 Feb 2026 20:51:47 +0000 https://dev.to/technorbidev/building-a-wcag-accessibility-checker-api-with-puppeteer-and-axe-core-37o1 https://dev.to/technorbidev/building-a-wcag-accessibility-checker-api-with-puppeteer-and-axe-core-37o1 <p>The EU Accessibility Act (EAA) took effect in June 2025, requiring digital products and services to meet WCAG 2.1 AA standards. This means millions of websites now need compliance checking.</p> <p>I built an API that does this in one call — send a URL, get back a structured WCAG compliance report with a 0-100 score, violation details, and fix suggestions.</p> <h2> The Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client → API Gateway → Lambda (arm64) → Puppeteer + axe-core ↕ DynamoDB (cache, usage tracking) </code></pre> </div> <p><strong>Stack:</strong> TypeScript, Puppeteer, axe-core, AWS Lambda, DynamoDB, Terraform</p> <h2> How It Works </h2> <ol> <li>Receive a URL via POST request</li> <li>Validate the URL and check for SSRF (block private IPs)</li> <li>Check robots.txt (respect site owners)</li> <li>Launch headless Chromium, navigate to the page</li> <li>Inject axe-core and run accessibility analysis</li> <li>Calculate a weighted score and return structured results</li> </ol> <h2> The Hard Parts </h2> <h3> Chromium on Lambda </h3> <p>Lambda has a 250MB deployment limit, and Chromium is ~62MB compressed. I used <code>@sparticuz/chromium</code> as a Lambda layer, uploaded via S3 since it exceeds the 50MB direct upload limit.</p> <p>The browser pool pattern is essential — reuse the browser across invocations, but create a fresh page per request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">browser</span><span class="p">:</span> <span class="nx">Browser</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getBrowser</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Browser</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">browser</span><span class="p">?.</span><span class="nf">isConnected</span><span class="p">())</span> <span class="k">return</span> <span class="nx">browser</span><span class="p">;</span> <span class="nx">browser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">puppeteer</span><span class="p">.</span><span class="nf">launch</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="nx">chromium</span><span class="p">.</span><span class="nx">args</span><span class="p">,</span> <span class="na">executablePath</span><span class="p">:</span> <span class="k">await</span> <span class="nx">chromium</span><span class="p">.</span><span class="nf">executablePath</span><span class="p">(),</span> <span class="na">headless</span><span class="p">:</span> <span class="nx">chromium</span><span class="p">.</span><span class="nx">headless</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">browser</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> SSRF Prevention </h3> <p>Since the API accepts arbitrary URLs, SSRF prevention is critical. I resolve DNS before connecting and block all private IP ranges:</p> <ul> <li> <code>127.0.0.0/8</code>, <code>10.0.0.0/8</code>, <code>172.16.0.0/12</code>, <code>192.168.0.0/16</code> </li> <li> <code>169.254.169.254</code> (AWS metadata endpoint)</li> <li>IPv6 loopback and link-local addresses</li> </ul> <h3> axe-core Gotcha </h3> <p>The biggest bug I hit: <code>axe.run('document')</code> treats the string <code>'document'</code> as a CSS selector, not the document object. You need to pass the actual <code>globalThis['document']</code> object inside <code>page.evaluate()</code>.</p> <h2> Scoring Formula </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>score = max(0, 100 - critical*10 - serious*5 - moderate*2 - minor*0.5) </code></pre> </div> <p>Automated tools catch approximately 30-57% of all accessibility issues, so this score is an approximation — manual review is still recommended.</p> <h2> Example Response </h2> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"score"</span><span class="p">:</span><span class="w"> </span><span class="mi">72</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"critical"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"serious"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"moderate"</span><span class="p">:</span><span class="w"> </span><span class="mi">8</span><span class="p">,</span><span class="w"> </span><span class="nl">"minor"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"violations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"color-contrast"</span><span class="p">,</span><span class="w"> </span><span class="nl">"impact"</span><span class="p">:</span><span class="w"> </span><span class="s2">"serious"</span><span class="p">,</span><span class="w"> </span><span class="nl">"wcagCriteria"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"1.4.3"</span><span class="p">],</span><span class="w"> </span><span class="nl">"nodes"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">".subtitle"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Change text color to at least #767676"</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Cost at Scale </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Monthly Scans</th> <th>AWS Cost</th> </tr> </thead> <tbody> <tr> <td>1,000</td> <td>~$1</td> </tr> <tr> <td>10,000</td> <td>~$9</td> </tr> <tr> <td>50,000</td> <td>~$40</td> </tr> </tbody> </table></div> <p>Running on arm64 (Graviton2) saves ~20% compared to x86.</p> <h2> Try It </h2> <p>The API is available on RapidAPI with a free tier (50 scans/month). If you're working on accessibility tooling or need to integrate WCAG checking into your CI/CD pipeline, give it a try.</p> <p><em>Have questions about the implementation? Drop a comment below.</em></p> webdev a11y typescript aws