A-92%
Quality Score
2
Pages
17
Issues
7.9
Avg Confidence
7.8
Avg Priority
7 Critical7 High3 Medium
>_ Testers.AI
AI Analysis
Locaquidev.Br was tested and 17 issues were detected across the site. The most critical finding was: Exposure of internal company identifier (UUID) in console logs. Issues span Security, A11y, Performance, Other categories. Persona feedback rated Visual highest (8/10) and Accessibility lowest (6/10).
Qualitative Quality
Locaquidev.Br
Category Avg
Best in Category
Pages Tested ยท 2 screenshots
Homepage
locaquidev.com.br
Detected Issues ยท 17 total
1
Exposure of internal company identifier (UUID) in console logs
CRIT P9
Prompt to Fix
Replace the console logging of the company identifier with a privacy-safe alternative. Specifically: 1) Do not log the full UUID '11111111-1111-1111-1111-111111111111' to the console. 2) If debugging is needed, log a redacted value or a hash (e.g., 'CompanyID: [REDACTED]' or 'CompanyID: hash(...)'). 3) Wrap all such logs behind a DEBUG flag or remove in production builds. 4) Audit all other code paths that may log user or entity identifiers (URLs, IDs) in console or telemetry. 5) If IDs must be tracked, ensure they are stored server-side and not echoed in client logs. 6) Ensure the logging library does not leak objects or handles (JSHandle@object) in logs.
Why it's a bug
The logs reveal a persistent internal company identifier (UUID) used to tie UI state and preferences to a specific company. Exposing this identifier in the browser console makes it accessible to users and potential attackers via developer tools, browser extensions, or exposed error reports. This can enable user/session correlation and cross-site tracking if logs are collected externally.
Why it might not be a bug
In some environments (e.g., development or staging) logs may include internal IDs for debugging and not be exposed to end users. If logs are strictly client-side and never shipped to servers, the risk is limited. However, since logs could be copied or leaked, it's still a privacy concern.
Suggested Fix
Do not log internal IDs to the console. Replace with redacted values or hashes. Implement a privacy-safe logging utility and wrap logs behind a debug flag. Ensure production builds never expose company_id in console logs, and review any analytics/shipping of logs to external services to strip IDs.
Why Fix
Removing exposure of internal identifiers prevents potential cross-session correlation and reduces risk of targeted profiling or misuse of internal IDs by attackers or providers observing client-side logs.
Route To
Privacy Engineer
Page
Tester
Pete ยท Privacy Console Log Analyzer
Technical Evidence
Console:
โ
[EmpresaUrlContext] Empresa ID definido: 11111111-1111-1111-1111-111111111111
โ
[EmpresaUrlContext] Empresa encontrada via URL: 11111111-1111-1111-1111-1111111111112
Unconsented third-party telemetry to Sentry (error reporting) may leak user data
CRIT P9
Prompt to Fix
In the Sentry initialization, apply a strict data-scrubbing policy: implement a beforeSend hook to remove or redact sensitive fields (e.g., event.request.url, query params, user identifiers). Ensure only non-identifying error telemetry is sent by default; implement an explicit user-consent toggle to enable telemetry; provide a privacy notice describing what data is sent and how it is used. Example: Sentry.init({ dsn: '...', beforeSend(event) { if (event.request && event.request.url) { event.request.url = ''; } // scrub other PII here return event; }, beforeSend is optional for opt-in; } })
Why it's a bug
The application sends error telemetry to a Sentry ingestion endpoint (o4511037510123520.ingest.de.sentry.io) which could transmit context, environment details, and potentially user-identifying data. Without explicit user consent, data minimization, or PII scrubbing, this constitutes a privacy risk and potential unauthorized data sharing to a third party.
Why it might not be a bug
Sentry is commonly used for error monitoring; telemetry may be essential for debugging. However, without explicit consent controls and proper PII scrubbing, it remains a privacy concern that product teams should address.
Suggested Fix
Add explicit user consent for telemetry; implement a before-send hook or data-scrubbing policy to remove or mask any potential PII in the envelope (e.g., URLs, user identifiers). Avoid sending full URLs or sensitive context unless absolutely necessary. Consider opt-in toggles and a privacy-friendly default configuration.
Why Fix
Reduces risk of exposing user data to a third-party service, improves regulatory compliance, and preserves user trust by aligning telemetry with privacy expectations.
Route To
Frontend/Full-Stack Engineer; Privacy Engineer
Page
Tester
Pete ยท Privacy Networking Analyzer
Technical Evidence
Console:
POST https://o4511037510123520.ingest.de.sentry.io/api/4511037517004880/envelope/?sentry_version=7&sentry_key=be05fc0be483f2ecd161954b9de64fbc&sentry_client=sentry.javascript.react%2F10.45.0 - Status: N/ANetwork:
POST https://o4511037510123520.ingest.de.sentry.io/api/4511037517004880/envelope/?sentry_version=7&sentry_key=be05fc0be483f2ecd161954b9de64fbc&sentry_client=sentry.javascript.react%2F10.45.03
Excessive data exposure in empresa_design API with select=*
HIGH P8
Prompt to Fix
Update the API to stop returning all fields for the empresa_design endpoint. Change the REST query to select only required columns (e.g., select=empresa_id, nome_empresa, design_id, logo_url, created_at). If using Supabase/PostgREST, modify the endpoint or create a restricted view that exposes only the allowed fields. Ensure authentication/authorization is enforced so unauthorized clients cannot access more data than necessary.
Why it's a bug
The API request uses select=* to fetch all fields for a design record (empresa_design?select=*&empresa_id=eq.11111111-1111-1111-1111-111111111111), which risks returning more data than necessary, potentially including sensitive or internal fields not required by the client. This increases privacy risk and blast radius if data policies change or client code is misused.
Why it might not be a bug
In some admin or debugging contexts, fetching all fields may be temporarily acceptable; however, for a typical client-facing API, this pattern should be avoided to protect data minimization principles.
Suggested Fix
Replace select=* with an explicit, minimal field list (e.g., select=empresa_id, nome_empresa, design_id, logo_url, created_at) or implement a database view that returns only necessary fields. Enforce server-side field-level access and audit trailing.
Why Fix
Limiting exposed fields reduces privacy risk, prevents leakage of unnecessary internal data, and aligns with data minimization and secure-by-default practice. It also reduces response size and potential exposure during logs and caching.
Route To
Backend/API Engineer / Security Engineer
Page
Tester
Sharon ยท Security Networking Analyzer
Technical Evidence
Console:
GET https://dnkhvtqhbekgwysfnfje.supabase.co/rest/v1/empresa_design?select=*&empresa_id=eq.11111111-1111-1111-1111-111111111111 - Status: 200Network:
GET https://dnkhvtqhbekgwysfnfje.supabase.co/rest/v1/empresa_design?select=*&empresa_id=eq.11111111-1111-1111-1111-111111111111 - Status: 200