Testing Glossary

The QA vocabulary, A to Z

65 terms from the practice curriculum — each with a short definition and a direct link to the lab where the concept is explored in depth. Searchable; use it as a reference while reading other labs.

65 of 65 terms

A11y: Short for 'accessibility' — 11 letters between A and Y. Umbrella for making UIs usable by people with disabilities (visual, motor, cognitive, auditory). Governed by WCAG.
AAA pattern: Three-phase structure for a single test: Arrange (set up fixtures + state), Act (perform the operation under test), Assert (verify the outcome). Keeping phases visually separate makes tests readable at a glance.
ATDD: Tests derived from acceptance criteria, written BEFORE implementation. Similar to TDD but from user/business perspective. Often pairs with BDD syntax.
axe-core: Deque's open-source accessibility testing library. Runs in browser or Node, detects WCAG violations by rule. Covers ~30 % of a11y issues; the rest requires manual testing.

Backpressure: When producer is faster than consumer. Options: buffer (memory grows), drop (data lost), pause producer (flow control). Critical for WebSocket and streaming APIs.
Baseline: The 'known good' artifact (screenshot, JSON, performance metric) that future runs are compared to. Baselines require governance — auto-update = auto-approve bugs.
BDD: Style of expressing tests as Given/When/Then narratives, readable by non-engineers. Tools: Cucumber, SpecFlow. Not a testing technique — a documentation format.
Blast radius: How many systems/users a test or experiment can affect if it misfires. Bounded = one service; cascading = dependent services; systemic = whole platform. Central to chaos engineering.
BVA: Test design technique: for each valid range, probe the min, min+1, max, max-1 plus just-outside values. Bugs cluster at boundaries; BVA finds them cheaply.
Builder pattern: Chainable API for creating complex test objects. `new OrderBuilder().forUser(u).withItem(s, 1).build()`. Reads like a spec; better than deeply-nested factory arguments.

Canary deploy: Deploy to 1-5 % of traffic first, measure health, progressively increase. Catches bugs that only show up under real load or with real user data.
Chaos engineering: Deliberately inject faults (latency, errors, crashes) to verify system resilience. Hypothesis-driven: 'if X fails, Y must still work'. Different from load testing.
CJK: East Asian scripts with variable (typically 2×) character width. Layouts tuned for Latin word-wrapping often break on CJK. Requires specific testing strategy.
CLDR: Unicode's canonical database of locale information: plural rules, date formats, number formats, calendars. `Intl.PluralRules`, `Intl.NumberFormat` read from CLDR.
Clock skew: Client clock differs from server by minutes/hours. Breaks JWT validation, TOTP, signature expiry. Defense: generous server-side leeway window (30-60 s), reject beyond.
Contract test: Tests that the shape of data crossing a service boundary matches the agreed contract. Consumer-driven (Pact) or provider-driven (Schemathesis). Faster than E2E, catches breaking changes.
Correlation ID: Unique ID (UUID, ULID) attached to a request at entry, propagated through every service, logged on every line. Lets you reconstruct the full call graph from one ID.
CORS: Browser mechanism allowing controlled cross-origin requests. Preflight (OPTIONS) confirms server consent. Misconfiguration (wildcard + credentials) enables credential theft.
CSRF: Attacker submits authenticated request from victim's browser by tricking them into visiting a malicious site. Defense: anti-CSRF tokens + SameSite cookies + Origin validation.

Decision table: Enumerate every combination of N boolean conditions → 2^N rows of expected outcomes. Comprehensive coverage for rule-based logic (discounts, permissions, pricing).
Device farm: Services (BrowserStack, SauceLabs, Firebase Test Lab) that let you run tests on real iOS / Android devices per-minute. Necessary for iOS Safari coverage outside macOS.

E2E: Drives the real application through the UI (or public API) against a real deployed stack. Highest coverage per test; highest cost per test; most flaky.
Equivalence partition: Test design: group inputs into classes where any member behaves identically. Test one per class instead of all. Paired with BVA for boundary coverage.
ETag: Opaque resource fingerprint (usually hash). Enables conditional GETs (`If-None-Match` → 304), optimistic concurrency (`If-Match` → 412). Weak (`W/"..."`) vs strong differ in equality.
Exploratory testing: Mission-driven testing without predefined scripts. Session has a charter (what to investigate) + time-box + notes. Finds bugs scripted tests don't anticipate.

Factory: Function that returns a valid entity with sensible defaults. `orderFactory({ total: 999 })` — override only what matters. Lighter than Builder.
Fixture: Pre-recorded data (JSON, YAML, DB dump) loaded before tests. Readable, shareable. Brittle to schema changes.
Flaky test: Fails sometimes, passes sometimes, with no code change. Five families: timing, network, state, order, environment. Hiding behind retries is tech debt.
Forced colors: OS setting that replaces all colors with system-defined high-contrast palette. Background images, SVG fills, subtle borders disappear. Test via `page.emulateMedia({ forcedColors: 'active' })`.

gRPC: Google's RPC framework using HTTP/2 + Protocol Buffers. Four stream types (unary, server, client, bidi). Status codes distinct from HTTP.

HATEOAS: REST principle: responses include links to next valid actions. Client navigates via links, never constructs URLs. Decouples client from server URL structure.

i18n: 18 letters between i and n. Designing software to support multiple locales without code changes. Paired with L10n (localization) — actually translating / formatting.
Idempotency: Same request, any number of times → same state. GET/PUT/DELETE are idempotent by spec; POST is NOT (use `Idempotency-Key` header for retry safety).
Integration test: Tests a cluster of real modules (no mocks at the outer edge): API route + DB + cache, etc. Middle layer of the pyramid.

Jitter: Small random component added to retry backoff to prevent thundering herd. `delay = base * 2^attempt + random(0, base)`. Standard in production retry logic.
JWT: Compact signed token (header.payload.signature). Common auth token. Attacks: `alg: none`, algorithm confusion, missing `exp` check.

L10n: 10 letters between L and n. Actually translating strings + formatting dates/numbers/currency for a locale. Done in libraries like next-intl, react-intl.
Last-Event-ID: HTTP header browsers send on SSE reconnect. Server replays events with ID > value. Enables seamless resume across network flaps.
Load test: Hold concurrency at documented peak for 5-10 min. Validates system meets SLO under normal load.

MFA / TOTP: Extra auth factor — 6-digit code from authenticator app, valid for 30 s window. HMAC-SHA1 of (secret, current counter). Test ±1 window for clock skew.

NFC / NFD: NFC = composed (`é` = 1 codepoint); NFD = decomposed (`e` + combining acute = 2). Look identical, compare unequal. Normalize at every boundary.

OpenAPI: Machine-readable YAML/JSON describing REST endpoints, schemas, auth. Drives doc generation (Swagger UI), mock servers (Prism), contract tests (Schemathesis).

Pact: Consumer records expectations as a Pact file. Provider verifies against the Pact. Ensures each consumer's assumptions hold without running full E2E.
PKCE: OAuth extension required for public clients (SPA, mobile) since OAuth 2.1. `code_verifier` (random) + `code_challenge` (SHA-256). Blocks code interception attacks.
Preflight (CORS): OPTIONS request browsers send before non-simple cross-origin requests. Server must reply with `Access-Control-Allow-*` headers. Cached via `Max-Age`.
Pseudo-locale: Synthetic locale (`[→Ẅëlçømë ✦✦←]`) with accented chars + 30 % length padding. Catches most layout bugs without real translators.

Quarantine: Move flaky tests to a separate suite that doesn't gate merges but still surfaces for review. Requires an SLA ('fix or delete in N days') — otherwise becomes dead weight.

RED metrics: Three health signals per endpoint: requests per second, error ratio, latency distribution. Simpler than USE (Utilization/Saturation/Errors), more service-focused.
Retry budget: Cap on retry attempts with exponential backoff + jitter. Infinite retries amplify outages (thundering herd). Rule of thumb: 3 attempts, 30 s total wall time.
RTL: Writing systems read right-to-left: Arabic, Hebrew, Farsi, Urdu. Full UI layout mirrors — navigation, icons, scrollbars, directional chevrons.

Schemathesis: Reads OpenAPI spec, generates thousands of valid + invalid requests via Hypothesis. Finds edge cases the schema allows but the server rejects.
Severity vs Priority: Severity = how bad (data loss? crash?). Priority = how urgent (blocking release? small user?). Orthogonal — low-severity can be high-priority before a regulated launch.
Shard: Split test files across N CI machines (`--shard=1/4` to `--shard=4/4`). Scales beyond single-machine parallelization. Requires test isolation.
Soak test: Hold moderate load for hours/days. Finds memory leaks, connection-pool exhaustion, slow queries that 10-min tests miss.
SSE: Unidirectional HTTP streaming (`Content-Type: text/event-stream`). Server pushes events to client. Auto-reconnect with `Last-Event-ID` resume.
SSRF: API accepts URL, fetches it server-side without validation. Attacker points at 169.254.169.254 (cloud metadata), localhost, internal services.

Test oracle: What the test compares actual against: spec doc, existing system (regression), reference implementation, heuristic. A test without an oracle is just a smoke test.
Toxiproxy: Shopify's chaos tool: inject latency, packet loss, connection resets at proxy layer. Zero app-code changes. Sidecars for language-agnostic chaos.
Traceparent: `00-<traceId>-<spanId>-<flags>` format. Propagates trace identity across services. Server preserves traceId, generates fresh spanId per hop.

Unit test: Pure function + mocked collaborators. Milliseconds per test; 60-70 % of the pyramid. If you need 5+ mocks, the function has too many responsibilities.

Virtual scroll: Only render visible + nearby rows; recycle DOM nodes on scroll. Scales to 10,000+ rows. Tests must scroll target into view BEFORE assertions.

WCAG: W3C standard for accessibility. Levels A / AA / AAA. Current is 2.2 (Oct 2023) — added Target Size, Dragging Movements, Accessible Authentication.
Webhook: Producer POSTs events to consumer-provided URL. Must be idempotent on event ID (retries), signature-verified (HMAC), fast to ack (<10 s).

XSS: User input reflected in HTML without escaping, executes as script. Reflected (URL), stored (DB), DOM-based. Defense: output encoding + CSP.

ZAP: Free, open-source DAST tool. Crawls + fuzzes + checks OWASP Top 10. Can run in CI headless mode for automated security testing.

← Back to all Labs

Back to Labs

Testing Glossary

The QA vocabulary, A to Z

65 terms from the practice curriculum — each with a short definition and a direct link to the lab where the concept is explored in depth. Searchable; use it as a reference while reading other labs.

65 of 65 terms

A11y: Short for 'accessibility' — 11 letters between A and Y. Umbrella for making UIs usable by people with disabilities (visual, motor, cognitive, auditory). Governed by WCAG.
AAA pattern: Three-phase structure for a single test: Arrange (set up fixtures + state), Act (perform the operation under test), Assert (verify the outcome). Keeping phases visually separate makes tests readable at a glance.
ATDD: Tests derived from acceptance criteria, written BEFORE implementation. Similar to TDD but from user/business perspective. Often pairs with BDD syntax.
axe-core: Deque's open-source accessibility testing library. Runs in browser or Node, detects WCAG violations by rule. Covers ~30 % of a11y issues; the rest requires manual testing.

Backpressure: When producer is faster than consumer. Options: buffer (memory grows), drop (data lost), pause producer (flow control). Critical for WebSocket and streaming APIs.
Baseline: The 'known good' artifact (screenshot, JSON, performance metric) that future runs are compared to. Baselines require governance — auto-update = auto-approve bugs.
BDD: Style of expressing tests as Given/When/Then narratives, readable by non-engineers. Tools: Cucumber, SpecFlow. Not a testing technique — a documentation format.
Blast radius: How many systems/users a test or experiment can affect if it misfires. Bounded = one service; cascading = dependent services; systemic = whole platform. Central to chaos engineering.
BVA: Test design technique: for each valid range, probe the min, min+1, max, max-1 plus just-outside values. Bugs cluster at boundaries; BVA finds them cheaply.
Builder pattern: Chainable API for creating complex test objects. `new OrderBuilder().forUser(u).withItem(s, 1).build()`. Reads like a spec; better than deeply-nested factory arguments.

Canary deploy: Deploy to 1-5 % of traffic first, measure health, progressively increase. Catches bugs that only show up under real load or with real user data.
Chaos engineering: Deliberately inject faults (latency, errors, crashes) to verify system resilience. Hypothesis-driven: 'if X fails, Y must still work'. Different from load testing.
CJK: East Asian scripts with variable (typically 2×) character width. Layouts tuned for Latin word-wrapping often break on CJK. Requires specific testing strategy.
CLDR: Unicode's canonical database of locale information: plural rules, date formats, number formats, calendars. `Intl.PluralRules`, `Intl.NumberFormat` read from CLDR.
Clock skew: Client clock differs from server by minutes/hours. Breaks JWT validation, TOTP, signature expiry. Defense: generous server-side leeway window (30-60 s), reject beyond.
Contract test: Tests that the shape of data crossing a service boundary matches the agreed contract. Consumer-driven (Pact) or provider-driven (Schemathesis). Faster than E2E, catches breaking changes.
Correlation ID: Unique ID (UUID, ULID) attached to a request at entry, propagated through every service, logged on every line. Lets you reconstruct the full call graph from one ID.
CORS: Browser mechanism allowing controlled cross-origin requests. Preflight (OPTIONS) confirms server consent. Misconfiguration (wildcard + credentials) enables credential theft.
CSRF: Attacker submits authenticated request from victim's browser by tricking them into visiting a malicious site. Defense: anti-CSRF tokens + SameSite cookies + Origin validation.

Decision table: Enumerate every combination of N boolean conditions → 2^N rows of expected outcomes. Comprehensive coverage for rule-based logic (discounts, permissions, pricing).
Device farm: Services (BrowserStack, SauceLabs, Firebase Test Lab) that let you run tests on real iOS / Android devices per-minute. Necessary for iOS Safari coverage outside macOS.

E2E: Drives the real application through the UI (or public API) against a real deployed stack. Highest coverage per test; highest cost per test; most flaky.
Equivalence partition: Test design: group inputs into classes where any member behaves identically. Test one per class instead of all. Paired with BVA for boundary coverage.
ETag: Opaque resource fingerprint (usually hash). Enables conditional GETs (`If-None-Match` → 304), optimistic concurrency (`If-Match` → 412). Weak (`W/"..."`) vs strong differ in equality.
Exploratory testing: Mission-driven testing without predefined scripts. Session has a charter (what to investigate) + time-box + notes. Finds bugs scripted tests don't anticipate.

Factory: Function that returns a valid entity with sensible defaults. `orderFactory({ total: 999 })` — override only what matters. Lighter than Builder.
Fixture: Pre-recorded data (JSON, YAML, DB dump) loaded before tests. Readable, shareable. Brittle to schema changes.
Flaky test: Fails sometimes, passes sometimes, with no code change. Five families: timing, network, state, order, environment. Hiding behind retries is tech debt.
Forced colors: OS setting that replaces all colors with system-defined high-contrast palette. Background images, SVG fills, subtle borders disappear. Test via `page.emulateMedia({ forcedColors: 'active' })`.

gRPC: Google's RPC framework using HTTP/2 + Protocol Buffers. Four stream types (unary, server, client, bidi). Status codes distinct from HTTP.

HATEOAS: REST principle: responses include links to next valid actions. Client navigates via links, never constructs URLs. Decouples client from server URL structure.

i18n: 18 letters between i and n. Designing software to support multiple locales without code changes. Paired with L10n (localization) — actually translating / formatting.
Idempotency: Same request, any number of times → same state. GET/PUT/DELETE are idempotent by spec; POST is NOT (use `Idempotency-Key` header for retry safety).
Integration test: Tests a cluster of real modules (no mocks at the outer edge): API route + DB + cache, etc. Middle layer of the pyramid.

Jitter: Small random component added to retry backoff to prevent thundering herd. `delay = base * 2^attempt + random(0, base)`. Standard in production retry logic.
JWT: Compact signed token (header.payload.signature). Common auth token. Attacks: `alg: none`, algorithm confusion, missing `exp` check.

L10n: 10 letters between L and n. Actually translating strings + formatting dates/numbers/currency for a locale. Done in libraries like next-intl, react-intl.
Last-Event-ID: HTTP header browsers send on SSE reconnect. Server replays events with ID > value. Enables seamless resume across network flaps.
Load test: Hold concurrency at documented peak for 5-10 min. Validates system meets SLO under normal load.

MFA / TOTP: Extra auth factor — 6-digit code from authenticator app, valid for 30 s window. HMAC-SHA1 of (secret, current counter). Test ±1 window for clock skew.

NFC / NFD: NFC = composed (`é` = 1 codepoint); NFD = decomposed (`e` + combining acute = 2). Look identical, compare unequal. Normalize at every boundary.

OpenAPI: Machine-readable YAML/JSON describing REST endpoints, schemas, auth. Drives doc generation (Swagger UI), mock servers (Prism), contract tests (Schemathesis).

Pact: Consumer records expectations as a Pact file. Provider verifies against the Pact. Ensures each consumer's assumptions hold without running full E2E.
PKCE: OAuth extension required for public clients (SPA, mobile) since OAuth 2.1. `code_verifier` (random) + `code_challenge` (SHA-256). Blocks code interception attacks.
Preflight (CORS): OPTIONS request browsers send before non-simple cross-origin requests. Server must reply with `Access-Control-Allow-*` headers. Cached via `Max-Age`.
Pseudo-locale: Synthetic locale (`[→Ẅëlçømë ✦✦←]`) with accented chars + 30 % length padding. Catches most layout bugs without real translators.

Quarantine: Move flaky tests to a separate suite that doesn't gate merges but still surfaces for review. Requires an SLA ('fix or delete in N days') — otherwise becomes dead weight.

RED metrics: Three health signals per endpoint: requests per second, error ratio, latency distribution. Simpler than USE (Utilization/Saturation/Errors), more service-focused.
Retry budget: Cap on retry attempts with exponential backoff + jitter. Infinite retries amplify outages (thundering herd). Rule of thumb: 3 attempts, 30 s total wall time.
RTL: Writing systems read right-to-left: Arabic, Hebrew, Farsi, Urdu. Full UI layout mirrors — navigation, icons, scrollbars, directional chevrons.

Schemathesis: Reads OpenAPI spec, generates thousands of valid + invalid requests via Hypothesis. Finds edge cases the schema allows but the server rejects.
Severity vs Priority: Severity = how bad (data loss? crash?). Priority = how urgent (blocking release? small user?). Orthogonal — low-severity can be high-priority before a regulated launch.
Shard: Split test files across N CI machines (`--shard=1/4` to `--shard=4/4`). Scales beyond single-machine parallelization. Requires test isolation.
Soak test: Hold moderate load for hours/days. Finds memory leaks, connection-pool exhaustion, slow queries that 10-min tests miss.
SSE: Unidirectional HTTP streaming (`Content-Type: text/event-stream`). Server pushes events to client. Auto-reconnect with `Last-Event-ID` resume.
SSRF: API accepts URL, fetches it server-side without validation. Attacker points at 169.254.169.254 (cloud metadata), localhost, internal services.

Test oracle: What the test compares actual against: spec doc, existing system (regression), reference implementation, heuristic. A test without an oracle is just a smoke test.
Toxiproxy: Shopify's chaos tool: inject latency, packet loss, connection resets at proxy layer. Zero app-code changes. Sidecars for language-agnostic chaos.
Traceparent: `00-<traceId>-<spanId>-<flags>` format. Propagates trace identity across services. Server preserves traceId, generates fresh spanId per hop.

Unit test: Pure function + mocked collaborators. Milliseconds per test; 60-70 % of the pyramid. If you need 5+ mocks, the function has too many responsibilities.

Virtual scroll: Only render visible + nearby rows; recycle DOM nodes on scroll. Scales to 10,000+ rows. Tests must scroll target into view BEFORE assertions.

WCAG: W3C standard for accessibility. Levels A / AA / AAA. Current is 2.2 (Oct 2023) — added Target Size, Dragging Movements, Accessible Authentication.
Webhook: Producer POSTs events to consumer-provided URL. Must be idempotent on event ID (retries), signature-verified (HMAC), fast to ack (<10 s).

XSS: User input reflected in HTML without escaping, executes as script. Reflected (URL), stored (DB), DOM-based. Defense: output encoding + CSP.

ZAP: Free, open-source DAST tool. Crawls + fuzzes + checks OWASP Top 10. Can run in CI headless mode for automated security testing.

← Back to all Labs

A

B

C

D

E

F

G

H

I

J

L

M

N

O

P

Q

R

S

T

U

V

W

X

Z

A

B

C

D

E

F

G

H

I

J

L

M

N

O

P

Q

R

S

T

U

V

W

X

Z