QA How-To
Testing an OCR pipeline (2026)
Learn testing an OCR pipeline with representative documents, ground truth, CER and WER, layout checks, field validation, performance, security, and pytest.
25 min read | 3,598 words
TL;DR
Testing an OCR pipeline requires representative document images, trustworthy ground truth, stage-level observability, and metrics tied to user outcomes. Measure text, layout, reading order, and critical fields separately, then add robustness, security, latency, and production drift checks.
Key Takeaways
- Test acquisition, preprocessing, layout, recognition, post-processing, and business extraction as observable stages.
- Build a consented, versioned corpus sliced by document, script, capture condition, layout, and business risk.
- Create ground truth with written transcription rules, double review, coordinates, and explicit illegible regions.
- Use CER and WER for text, IoU and reading order for layout, and exact or normalized accuracy for critical fields.
- Keep raw and normalized scores separate so cleanup does not hide recognition defects.
- Include malformed files, decompression bombs, embedded content, sensitive logs, concurrency, and cancellation in the plan.
- Gate releases by critical slices and field outcomes, not one average OCR confidence score.
Testing an OCR pipeline means checking far more than whether visible words appear in a text file. A reliable plan verifies file intake, image decoding, orientation, preprocessing, layout segmentation, recognition, reading order, normalization, field extraction, confidence, and downstream business rules. It uses ground truth that represents the documents users actually submit.
One overall accuracy percentage cannot describe OCR quality. A system can score well on body text while misreading one invoice total, merging table columns, dropping a minus sign, or exposing a document through debug logs. This guide provides a risk-based corpus, annotation rules, runnable metrics, failure injection, and release criteria for modern OCR and document AI systems.
TL;DR
| Output | Recommended check | Example release concern |
|---|---|---|
| Plain text | Character error rate and word error rate | Small-font text is consistently omitted |
| Text regions | Precision, recall, and intersection over union | A footer is merged into a table |
| Reading order | Ordered block or pair agreement | Two columns are interleaved |
| Structured fields | Exact, normalized, and validity accuracy | Total, account number, or date is wrong |
| Confidence | Calibration by slice | Incorrect fields receive high confidence |
| Operations | Tail latency, throughput, error class, resource use | Large scans starve ordinary jobs |
| Security | Parser isolation, limits, redaction, deletion | Malicious files or sensitive artifacts escape controls |
Build tests around upload -> validate -> decode -> preprocess -> detect layout -> recognize -> reconstruct -> normalize -> extract -> deliver. Save stage artifacts in a protected test environment so the first point of divergence is visible.
1. Why testing an OCR pipeline requires stage-level oracles
OCR failures propagate. A page rotated incorrectly produces weak recognition. Incorrect table segmentation creates plausible words in the wrong cells. Aggressive thresholding erases punctuation. A post-processor may fix common characters but corrupt identifiers. If QA inspects only final JSON, every defect appears to be bad OCR, and teams tune the wrong component.
Map the pipeline and define a contract for each boundary. File intake reports format, size, page count, and rejection reason. Decoding produces expected pages without hidden truncation. Preprocessing records transformations and dimensions. Layout detection returns typed regions and coordinates in a documented coordinate system. Recognition associates text and confidence with regions. Reconstruction preserves reading order. Extraction returns typed fields with source spans or boxes and validation status.
Identify business-critical symbols and fields. A missing comma in prose may be tolerable. A changed decimal point, minus sign, medicine dose, passport digit, or checkbox state may be critical. Define severity with product owners and domain specialists. Do not let high volume of easy text outweigh rare but consequential fields.
Also separate system error from source ambiguity. Ground truth should allow illegible, partially visible, and multiple valid transcriptions when policy permits. The expected behavior may be low confidence and human review rather than a guessed value. A pipeline that abstains correctly on unreadable input can be safer than one with a higher apparent completion rate.
2. Design a representative document test corpus
Start with a coverage matrix based on real traffic and risk. Dimensions include document type, page count, language, script, font, print versus handwriting, camera versus scanner, resolution, color, compression, rotation, perspective, lighting, background, folds, stains, stamps, annotations, and layout complexity. Include tables, forms, columns, headers, footers, checkboxes, barcodes, signatures, equations, and mixed-direction text where the product supports them.
Use three corpus partitions. A development set supports diagnosis and tuning. A locked regression set provides release comparison. A challenge set contains rare, difficult, and adversarial samples. Avoid putting near-duplicate pages or multiple scans of the same source into both development and locked sets, because document leakage makes gains look larger than they are.
Capture naturally occurring variation and controlled transformations. Natural samples reveal unexpected backgrounds and device behavior. Synthetic transformations let QA isolate blur, rotation, noise, contrast, perspective, and compression at known levels. Keep the pristine parent and transformation recipe so a regression can be reproduced. Synthetic degradation should complement, not replace, real captures.
Govern the corpus as sensitive test data. Obtain appropriate rights, minimize personal information, record consent or provenance, encrypt storage, restrict access, and set retention. Redaction can change OCR difficulty, so preserve a separate annotation-safe representation or generate structurally similar documents. The AI test data generation guide can help create fictitious templates, but human review must ensure generated samples do not leak real data or create unrealistic typography.
3. Create defensible ground truth and annotation rules
Ground truth quality limits evaluation quality. Write a transcription guide before labeling. Decide how to represent line breaks, repeated spaces, ligatures, hyphenation across lines, case, punctuation, Unicode normalization, handwriting, deleted text, decorative marks, checkboxes, and unreadable characters. Keep a raw visual transcription separate from any normalized business value.
For layout, annotate page dimensions, polygons or boxes, region type, parent-child relationships, table rows and columns, merged cells, and reading order. State whether coordinates refer to the original image or a transformed stage. For structured fields, store the expected value, type, source region, normalization rule, and whether human review is required.
Use double annotation for the locked set. Two reviewers label independently, then an adjudicator resolves disagreements. Measure agreement by output type rather than forcing one number. High disagreement on a field may signal unclear policy or truly ambiguous source material. Preserve adjudication notes and annotation tool versions.
Version ground truth. A correction should create an auditable change, not silently alter historical release scores. Run a diff review for label changes and recompute the current baseline with the new version. Plant a small set of known annotation checks to catch systematic mistakes such as dropping leading zeros or normalizing dates inconsistently.
Never use the current OCR output as truth without independent verification. It accelerates labeling, but reviewers must inspect the image. Otherwise model errors are copied into labels and future regressions pass. Store explicit not_applicable and illegible states rather than empty strings that can be confused with a missed value.
4. Test file intake, decoding, and page handling
Build a format matrix for every supported input: PDF variants, JPEG, PNG, TIFF, HEIF or other formats only when the product explicitly supports them. Cover valid extensions with mismatched content types, uppercase extensions, missing extensions, multiple frames, alpha channels, color profiles, encrypted PDFs, password-protected documents, corrupted headers, truncated streams, and zero-byte files. Acceptance must be based on validated content, not filename alone.
Test page counts at zero, one, configured limits, and just over limits. Use portrait, landscape, mixed-size, and mixed-orientation pages in one document. Verify page ordering, duplicate pages, blank pages, thumbnail artifacts, and render resolution. A PDF can contain a text layer plus an image. Define whether the pipeline trusts, validates, combines, or ignores that text layer, then test conflicts between visible image and embedded text.
Assert failure behavior. Rejections should have stable machine-readable reason codes, safe user messages, no stack trace leakage, and no partial job reported as complete. If page-level recovery is allowed, the result must identify failed pages and prevent downstream code from treating missing pages as blank. Retry should be idempotent and preserve the same job identity or a documented lineage.
Keep original hashes and derived artifact IDs for traceability, but protect them as document metadata. Verify temporary files are deleted after success, rejection, timeout, and worker crash. Test canceled uploads and disconnects so abandoned data does not remain indefinitely.
5. Evaluate preprocessing without rewarding overfitting
Preprocessing can include orientation detection, deskew, crop, perspective correction, denoise, contrast adjustment, binarization, dewarping, and resolution scaling. Test each transformation with known geometric and visual expectations before measuring downstream text. A deskew operation should not crop corner text. Resizing should preserve aspect ratio unless the contract says otherwise. Coordinate mappings must let extracted boxes resolve back to the original page.
Create controlled image pairs. Rotate a clean page by known angles, apply perspective to four known corners, add calibrated blur or noise, and vary brightness. Assert transformation metadata and then compare OCR degradation curves. Do not invent one universal acceptable threshold. Establish product-specific limits from the locked corpus and business fields.
Overprocessing is a frequent failure. Thin decimal points, accents, punctuation, checkbox ticks, and light handwriting may disappear after binarization. Dark stamps can merge with nearby text. Run critical-field checks on both clean and difficult slices. Compare a preprocessing candidate not only with the prior pipeline but also with a no-preprocessing baseline to prove it helps the intended condition.
Use metamorphic expectations carefully. Modest brightness or lossless format changes should preserve text and fields. A 90-degree rotation should preserve content after orientation correction, while coordinates transform predictably. Strong blur may legitimately reduce output, so the oracle becomes calibrated confidence and human-review routing rather than exact equality. Preserve stage images for failed test jobs under strict retention so visual diagnosis is possible.
6. Test layout analysis, tables, and reading order
Text accuracy does not prove document structure. A two-column page may contain every word but interleave the columns. A table may preserve cell text while associating amounts with the wrong line items. Test region detection and reconstruction separately from recognition.
For boxes or polygons, use precision and recall at an agreed intersection-over-union threshold, plus type accuracy. Review small regions separately because a few pixels matter more for checkboxes and superscripts. For reading order, compare ordered region IDs or evaluate pairwise precedence among blocks. Include headers, footnotes, sidebars, nested lists, captions, and text that crosses page breaks.
Table tests should cover missing borders, faint lines, borderless tables, merged cells, wrapped text, repeated headers, nested tables, blank cells, negative numbers, and multi-page continuation. Assert row and column membership, span, header association, and cell coordinates, not just flattened CSV content. Add a case where visual proximity conflicts with semantic header structure.
Forms require label-value association. Test left, right, above, and inline labels, repeated labels, empty values, checkboxes, radio groups, and handwritten corrections. A field value should retain its source region so users can review it. For accessibility and downstream use, preserve logical order rather than relying solely on x and y sorting. If the pipeline returns Markdown or HTML, validate nesting and escaping so document text cannot inject active markup into the consuming application.
7. Measure recognition across scripts and content types
Character error rate, or CER, is edit distance between reference and hypothesis divided by reference character count. Word error rate, or WER, applies the same idea to word tokens. Report both because spacing and tokenization can affect WER while character substitutions remain visible in CER. Handle an empty reference explicitly rather than dividing by zero.
Create error categories: insertion, deletion, substitution, whitespace, case, diacritic, punctuation, numeral, and confusable character. Slice by script, language, font size, capture condition, region type, and document source. Mixed-script cases deserve their own slice. Identifiers containing O and 0, I and 1, or non-Latin confusables can be high risk even when average CER is low.
Normalization must follow the use case. Unicode normalization and line-ending cleanup may be appropriate for search. Removing punctuation or leading zeros is dangerous for codes and amounts. Report raw transcription metrics first, then a named normalized metric. Never adjust normalization until a poor release passes.
Test language selection and automatic detection. Include short ambiguous text, multilingual pages, unsupported languages, and a wrong user-supplied language hint. The pipeline should disclose unsupported script or low confidence rather than output confident nonsense. For handwriting, define the supported styles and review threshold. Do not blend printed and handwritten scores into one average.
8. Verify post-processing and structured field extraction
Post-processing turns recognized tokens into product data through dictionaries, language models, regular expressions, checksums, and business rules. It can correct errors, but it can also make wrong output look plausible. Preserve raw OCR, normalized text, extracted value, source span, confidence, and validation result as separate fields where privacy permits.
For each critical field, test exact accuracy, normalized accuracy, missing rate, false extraction rate, and human-review rate. Use domain validation such as date ranges, currency consistency, totals, identifier length, or checksums, but verify the system does not silently replace source evidence with a guessed valid value. A failed checksum should trigger review or a clear validation error.
Test locale. 01/02/2026, 1.234,56, comma-separated addresses, digit grouping, and right-to-left context can produce different meanings. Derive locale from trusted document or account context, not only from an uncertain OCR guess. Cover leading zeros, negative values, parentheses for negatives, currency symbols, percentages, and blank versus zero.
Cross-field rules are powerful oracles. Invoice subtotal plus tax should agree with total under documented rounding. A stated page count should match observed pages if that field exists. Yet a valid arithmetic relationship does not prove every line is correct, so retain field-level evidence. Test conflicting candidates and require deterministic selection or human review. The API contract testing guide is useful for locking the JSON schema consumed by downstream services while OCR internals continue to evolve.
9. Validate confidence and human-review routing
OCR confidence is useful only if it correlates with correctness for the relevant slice. Bin predictions by confidence and compare average confidence with observed accuracy. Inspect calibration curves and expected calibration error where appropriate, but also examine critical-field false accepts: wrong values that exceed the automatic-accept threshold.
Confidence from different engines or stages may not be comparable. A word score, field extractor probability, and validation result represent different evidence. Document how they combine. Test missing, NaN, out-of-range, and contradictory scores. Avoid defaulting an absent confidence to zero or one without an explicit contract.
Choose review thresholds from cost and risk. Raising a threshold can reduce wrong automatic results but increase manual workload and latency. Evaluate the tradeoff on a locked, representative corpus. Set field-specific thresholds when a bank account number has different impact from a description. Report coverage, or the fraction automatically accepted, together with accuracy among accepted results.
Test the review queue end to end. Low-confidence items should include the correct crop, page reference, raw text, proposed value, and reason. Reviewer changes must preserve an audit trail. Handle queue timeout, duplicate assignment, concurrent edits, keyboard accessibility, and redaction. Feed confirmed corrections into evaluation only through a governed process, not directly into a training set where malicious or accidental labels can poison future behavior.
10. Use runnable metrics for testing an OCR pipeline
The following Python module implements edit distance, CER, WER, and exact field accuracy using only the standard library. Save it as test_ocr_metrics.py and run python -m unittest -v. The explicit empty-reference behavior prevents misleading division errors.
import unittest
from collections.abc import Sequence
def edit_distance(reference: Sequence, hypothesis: Sequence) -> int:
previous = list(range(len(hypothesis) + 1))
for row, expected in enumerate(reference, start=1):
current = [row]
for column, actual in enumerate(hypothesis, start=1):
current.append(min(
current[-1] + 1,
previous[column] + 1,
previous[column - 1] + (expected != actual),
))
previous = current
return previous[-1]
def error_rate(reference: Sequence, hypothesis: Sequence) -> float:
if len(reference) == 0:
return 0.0 if len(hypothesis) == 0 else 1.0
return edit_distance(reference, hypothesis) / len(reference)
def cer(reference: str, hypothesis: str) -> float:
return error_rate(reference, hypothesis)
def wer(reference: str, hypothesis: str) -> float:
return error_rate(reference.split(), hypothesis.split())
def exact_field_accuracy(expected: dict[str, str], actual: dict[str, str]) -> float:
if not expected:
return 1.0 if not actual else 0.0
correct = sum(actual.get(name) == value for name, value in expected.items())
return correct / len(expected)
class OcrMetricTests(unittest.TestCase):
def test_character_substitution(self):
self.assertAlmostEqual(cer("TOTAL 120.00", "TOTAL 12O.00"), 1 / 12)
def test_word_deletion(self):
self.assertAlmostEqual(wer("amount due today", "amount today"), 1 / 3)
def test_empty_reference_policy(self):
self.assertEqual(cer("", ""), 0.0)
self.assertEqual(cer("", "unexpected"), 1.0)
def test_critical_fields_do_not_hide_behind_text_score(self):
expected = {"invoice_id": "INV-0017", "total": "120.00"}
actual = {"invoice_id": "INV-0017", "total": "12O.00"}
self.assertEqual(exact_field_accuracy(expected, actual), 0.5)
if __name__ == "__main__":
unittest.main()
Use the functions on each document and aggregate counts, not only per-page percentages. A micro-average weights by character volume, while a macro-average gives each document equal influence. Report both if long pages could dominate. For a production evaluator, persist individual insertions, deletions, and substitutions with document slice tags, then render a protected error report that points reviewers to source regions.
Add normalization as explicit named functions and calculate separate results. For geometry, add region matching before IoU aggregation so one predicted box cannot satisfy multiple references. For fields, define typed comparators, such as exact strings for IDs, Decimal values with documented scale for amounts, and parsed dates only when locale is known.
11. Test performance, resilience, and security
Performance depends on pixels, pages, regions, model path, language, and concurrency. Build workload classes rather than averaging all jobs. Measure upload time, queue delay, decode, preprocessing, layout, recognition, extraction, and delivery. Report throughput plus median and tail latency by workload. Track CPU, GPU, memory, temporary disk, network, and model-service utilization.
Test one huge page, many small pages, large dimensions with high compression, blank pages, dense tables, and concurrent multi-page jobs. Enforce limits before full expansion where possible. Inject worker termination, disk full, storage timeout, model timeout, corrupted intermediate artifacts, duplicate queue delivery, and callback failure. Verify idempotent recovery, bounded retry, page-level status, cleanup, and one terminal job state.
Document parsers process hostile input. Test malformed object graphs, embedded files, scripts, external references, macro-bearing containers when applicable, path-like filenames, decompression bombs, extreme dimensions, and parser crashes. Use updated parsing components, sandbox risky conversion, restrict network and filesystem access, and limit CPU, memory, pages, and expanded bytes. Test antivirus or content-disarm integrations according to the product contract.
Protect sensitive artifacts. Verify encryption, signed URL expiry, tenant authorization, worker identity, redaction in logs, trace access, retention, deletion, backups, and support exports. A recognition error report can contain the entire private document. The API negative testing guide provides reusable malformed input and safe error-response patterns for the upload and job APIs.
12. Define regression gates and production monitoring
Pin engine, model, language pack, preprocessing, extraction rule, and annotation versions for every evaluation. Run the locked corpus before changing any of them. Compare candidate and baseline at the document level so statistical tests or paired inspection can identify consistent gains and losses. Never accept a candidate solely because its overall CER is lower.
Define gates by risk slice. Critical identifier exact accuracy may allow no regression. A difficult handwriting slice may use a bounded review rate. Layout order, table structure, empty-document behavior, and security checks need separate gates. Review the worst regressions even if aggregate scores pass. Store evaluation artifacts and configuration with a reproducible run ID.
Release gradually by document type, tenant cohort, or stable traffic assignment. For safe shadow evaluation, run the candidate without affecting delivered output and compare fields under privacy controls. Watch input format mix, quality proxies, engine errors, low-confidence and review rates, correction rate, latency, queue age, resource use, and downstream validation failures. Production labels arrive late, so do not confuse confidence with truth.
Detect drift in capture devices, resolutions, languages, templates, and region types. Sample with consent for human audit according to policy. When a corrected production incident enters the corpus, minimize and protect it, assign a slice, reproduce the responsible stage, and add a targeted regression. This closes the loop without turning customer documents into an uncontrolled test archive.
Interview Questions and Answers
Q: How would you test an OCR pipeline?
I would map intake, decode, preprocessing, layout, recognition, reconstruction, normalization, and field extraction. I would build a representative, governed corpus with reviewed ground truth and measure each output type separately. I would add performance, parser security, failure recovery, and production drift checks.
Q: What is the difference between CER and WER?
CER applies edit distance to characters and divides by reference character count. WER applies it to word tokens. I report both because spacing and segmentation can greatly change WER while character-level substitutions remain visible in CER.
Q: Why is one OCR accuracy score dangerous?
It can be dominated by easy body text and hide a critical wrong amount, identifier, or table association. It also blends scripts, layouts, and capture conditions with different difficulty. I gate critical fields and high-risk slices separately.
Q: How do you validate OCR ground truth?
I define transcription and normalization rules, use independent double annotation for the locked set, adjudicate disagreements, and version corrections. I preserve raw text, structured values, coordinates, and explicit illegible states.
Q: How would you test table extraction?
I verify table regions, row and column membership, merged spans, headers, reading order, and exact critical cell values. Cases include borderless tables, wrapped cells, repeated page headers, blank cells, and multi-page continuation. Flattened text alone is not a sufficient oracle.
Q: How do you test OCR confidence?
I compare confidence bins with observed correctness per field and slice. I focus on false accepts above the automatic threshold and report both accepted coverage and accepted accuracy. Missing or invalid confidence values receive explicit tests.
Q: What security risks are specific to OCR?
OCR often starts with complex, untrusted files processed by parsers and converters. I test malformed structures, expansion bombs, embedded content, external references, resource exhaustion, temporary file cleanup, tenant access, and sensitive artifact logging.
Q: How do you test a new OCR model release?
I run a paired comparison against a locked corpus with pinned configuration. Gates cover critical fields, CER and WER slices, layout, confidence, latency, and security. I inspect worst regressions, shadow safely, and roll out by a stable cohort with rollback criteria.
Common Mistakes
- Reporting only average text accuracy. Add critical-field, layout, reading-order, confidence, latency, and security measures.
- Treating current engine output as ground truth. Require independent image review and adjudication.
- Normalizing before saving raw scores. Keep raw transcription and each named normalization result separate.
- Testing clean scans only. Cover mobile capture, difficult layouts, scripts, blur, rotation, compression, and real device variation.
- Comparing final JSON without stage artifacts. Preserve protected intermediate outputs so failures can be localized.
- Ignoring empty and illegible sources. Define explicit abstention and human-review behavior.
- Load testing by file count alone. Vary pixels, pages, layout density, languages, and model paths.
- Keeping customer documents indefinitely for regression. Govern provenance, access, minimization, retention, and deletion.
Conclusion
Testing an OCR pipeline is a document understanding quality problem, not a screenshot spot check. Trust comes from representative documents, defensible ground truth, stage-level evidence, output-specific metrics, and business-field gates that expose costly errors hidden by averages.
Begin with the document coverage matrix and annotation guide. Implement the runnable CER, WER, and field checks, then add layout, confidence, security, and performance suites. Release only when critical slices hold steady and every result can be traced back to the page region that produced it.
Interview Questions and Answers
How would you create an OCR testing strategy?
I would map each processing stage and its output contract, then build a risk-sliced document corpus with reviewed ground truth. Measures would cover text, layout, reading order, fields, confidence, latency, and resilience. Critical business fields and security cases would have independent release gates.
Explain CER and WER in OCR testing.
Both use edit distance. CER counts character insertions, deletions, and substitutions relative to reference characters, while WER applies the calculation to word tokens. I define normalization and empty-reference behavior before scoring.
How do you prevent easy documents from hiding OCR regressions?
I report by document type, script, layout, capture condition, and critical field. I use macro and micro views and set gates for high-risk slices. I also inspect the worst paired regressions against the current baseline.
How would you test OCR preprocessing?
I create known rotations, perspective transforms, blur, noise, and brightness changes, then assert geometry and downstream quality. I compare with both the current pipeline and a no-preprocessing baseline. Thin punctuation and critical symbols receive targeted checks for overprocessing.
What makes OCR ground truth trustworthy?
It follows written transcription and normalization rules, comes from the source image, and uses independent review with adjudication for the locked set. Ambiguity is represented explicitly. Corrections are versioned and audited.
How do you test OCR structured fields?
I retain raw text, normalized value, source region, confidence, and validation separately. Tests cover exact and typed comparisons, locale, checksums, cross-field consistency, missing values, false extractions, and human-review routing.
How would you performance-test a document AI service?
I define workloads by pages, pixels, layout density, language, and model path. I measure stage latency, queue age, throughput, tail behavior, and resource use. I include cancellation, worker failure, storage errors, duplicate delivery, and soak tests.
How would you roll out a new OCR engine?
I run a paired locked-corpus evaluation with pinned configurations and separate critical-slice gates. After security and load checks, I shadow where privacy permits and canary by stable cohort. Production correction, review, latency, and error signals determine expansion or rollback.
Frequently Asked Questions
What should be tested in an OCR pipeline?
Test file validation, decoding, page handling, orientation, preprocessing, layout, recognition, reading order, normalization, structured fields, confidence, performance, failure recovery, and security. Each stage needs an observable contract so defects can be localized.
What are the main OCR accuracy metrics?
CER and WER measure text edit errors. Layout needs region precision, recall, overlap, and reading-order measures, while business extraction needs field-level exact or typed accuracy and confidence calibration.
How large should an OCR test dataset be?
There is no universal count. The corpus should cover real traffic and high-risk slices with enough independently labeled examples to reveal meaningful regressions, while a smaller challenge set targets rare and adversarial conditions.
How do you create OCR ground truth?
Write transcription, layout, and normalization rules, then label from the source image. Use independent double review and adjudication for the locked regression set, record illegible regions explicitly, and version every correction.
Is OCR confidence the same as accuracy?
No. Confidence is a model score that may be poorly calibrated or incomparable across engines. QA must compare confidence with observed correctness by slice and focus on wrong results that exceed automatic-accept thresholds.
How do you test OCR on tables?
Assert table boundaries, row and column membership, spans, headers, reading order, and cell values. Include borderless, wrapped, merged, blank, repeated-header, and multi-page cases rather than checking only flattened text.
What security tests does an OCR upload need?
Test validated content types, malformed parsers, embedded content, expansion bombs, extreme dimensions, resource limits, sandboxing, temporary file cleanup, access control, redacted logs, retention, and deletion.