B-80%
Quality Score
7
Pages
144
Issues
8.2
Avg Confidence
8.1
Avg Priority
71 Critical60 High13 Medium
>_ Testers.AI
AI Analysis
Recruter.Tn was tested and 144 issues were detected across the site. The most critical finding was: Hardcoded Google Maps API key exposed in client URL. Issues span Security, Legal, Performance, A11y categories. Persona feedback rated Visual highest (7/10) and Accessibility lowest (6/10).
Qualitative Quality
Recruter.Tn
Category Avg
Best in Category
Pages Tested ยท 7 screenshots
Homepage
www.recruter.tn
www.recruter.tn
www.recruter.tn
www.recruter.tn
www.recruter.tn
www.recruter.tn
Detected Issues ยท 144 total
1
Hardcoded Google Maps API key exposed in client URL
CRIT P10
Prompt to Fix
Remove hardcoded API keys from client-side code. Implement server-side retrieval of the Maps API key or load it through a secure proxy. Enforce API key restrictions (domain, HTTP referrers) and consider using environment-based configuration rather than embedding keys in frontend code.
Why it's a bug
The page loads maps API with a visible API key in the URL (key=AIzaSyDo5FIoEwCTYffHoKSSBIHdcPyqS96_a7o...). Exposing API keys in client-side code is a critical security risk (potential abuse, quota drain, and privacy concerns). This is a clear GenAI/code-quality issue visible from the screenshot.
Why it might not be a bug
If the key is meant for a non-exposed environment or a restricted demo, it should still not be present in client code; the screenshot shows it publicly, which is not acceptable.
Suggested Fix
Move API calls behind a secure backend or proxy. Use restricted API keys with HTTP referrers and IP restrictions. Remove the key from client-side code and load Maps API via a server-side endpoint or environment-protected configuration.
Why Fix
Prevent unauthorized usage, avoid quota overages, and protect the integrity of the appโs map features.
Route To
Security Engineer / Frontend Engineer
Page
Tester
Jason ยท GenAI Code Analyzer
Technical Evidence
Console:
GET https://maps.google.com/maps/api/js?key=AIzaSyDo5FIoEwCTYffHoKSSBIHdcPyqS96_a7o&libraries=places&ver=6.9.4 - Status: N/ANetwork:
GET https://maps.google.com/maps/api/js?key=AIzaSyDo5FIoEwCTYffHoKSSBIHdcPyqS96_a7o&libraries=places&ver=6.9.42
CMP integration has incorrect ID and missing/incorrect customdata
CRIT P9
Prompt to Fix
Audit the CMP integration: verify the vendor ID/client ID used in the CMP script, correct the 'customdata' attribute values, and ensure the CMP library is initialized in the active environment. Run consent flow tests and verify that the consent state is correctly captured and sent.
Why it's a bug
CMP IDs are incorrect and customdata is missing or not active, risking non-compliant consent handling and incorrect consent state.
Why it might not be a bug
Should be fixable; logs indicate issues rather than user-visible functionality, but regulatory risk justifies priority.
Suggested Fix
Verify and correct the CMP component's client ID and data attributes. Ensure customdata fields are set correctly and that CMP is active for the current environment. Run end-to-end consent flows to confirm proper recording and transmission of consent.
Why Fix
Incorrect consent state can lead to regulatory compliance failures and invalid data collection.
Route To
Frontend/Compliance Engineer
Page
Tester
Sharon ยท Security Tester
Technical Evidence
Console:
[LOG] CMP issue: Incorrect ID, please check your implementation | [LOG] CMP issue: Incorrect ID used customdata (or not yet active)3
AI endpoints auto-loaded on page load without user consent
CRIT P9
Prompt to Fix
Audit all JavaScript that triggers AI/LLM endpoints on page load. Remove unconditional calls, wrap in a consent check, and implement lazy-loading of AI features. Add a user-facing consent banner and a feature flag for AI integrations; ensure no data is sent to AI endpoints until consent is given.
Why it's a bug
The console shows repeated AI/LLM endpoint detections and AI-related activity on initial load, which implies AI services are invoked without an explicit user consent flow. This risks unintended data sharing, privacy violations, and performance degradation.
Why it might not be a bug
If the site intends to perform AI-based personalization and has an explicit consent mechanism not visible in the screenshot, it could be legitimate; however, no consent flow is evident in the static view.
Suggested Fix
Move all AI/LLM calls behind a user-consent prompt and/or lazy-load them after explicit user interaction. Remove on-load AI invocations and ensure a clear consent banner or settings toggle exists before enabling any AI features.
Why Fix
Protects user privacy, reduces data leakage risk, and improves perceived performance and trust by ensuring AI calls happen only with consent.
Route To
Frontend Engineer / Privacy Engineer
Page
Tester
Jason ยท GenAI Code Analyzer
Technical Evidence
Console:
[โ ๏ธ AI/LLM ENDPOINT DETECTED] (appears multiple times in console logs during page load)Network:
AI/LLM ENDPOINT DETECTED (external AI API calls triggered on page load)