B+87%
Quality Score
6
Pages
102
Issues
7.6
Avg Confidence
7.9
Avg Priority
35 Critical55 High12 Medium
>_ Testers.AI
AI Analysis
House of Fraser scored B+ (87%) with 102 issues across 6 tested pages, ranking #5 of 20 UK retail sites. That's 28 fewer than the 130.2 category average (80th percentile).
Top issues to fix immediately: "Multiple Failed Resource Loads - DNS Resolution Errors" โ 1) Identify which specific resources are failing to resolve by checking the Network tab in DevTools; "Broken Resources Loading Preventing Core Functionality" โ Investigate the failed resource requests in the network tab; "Suspicious Obfuscated URL Path Detected in Production Traffic" โ Immediately investigate the source of this URL request: (1) Review server logs and WAF logs for this request pattern,....
Weakest area โ accessibility (5/10): Several accessibility concerns: small text in some areas, insufficient color contrast in places, lack of visible alt-text strat...
Quick wins: Improve color contrast ratios throughout the page to meet WCAG AA standards, particularly in product category labels.... Add descriptive aria-labels and alt-text to all carousel images and product thumbnails for screen reader users.
Qualitative Quality
House of Fraser
Category Avg
Best in Category
Pages Tested ยท 6 screenshots
Homepage
houseoffraser.co.uk
houseoffraser.co.uk
houseoffraser.co.uk
houseoffraser.co.uk
houseoffraser.co.uk
Detected Issues ยท 102 total
1
Suspicious Obfuscated URL Path Detected in Production Traffic
CRIT P9
Prompt to Fix
Investigate the suspicious obfuscated URL request to 'https://www.houseoffraser.co.uk/kysaL0xGh/1xjKY77i_/FuAm9ty/CY/9w9JVQ9z1pYOJpOE/Pyd0AQ/ZV19e/EkPZG0B' found in production network traffic. This path doesn't match legitimate Next.js application routing patterns. (1) Search the entire codebase for this URL or any code generating random path segments, (2) Check if any third-party scripts or analytics libraries are making unexpected requests, (3) Review recent dependency updates for malicious packages, (4) Implement URL validation middleware to reject requests with suspicious path patterns, (5) Add security monitoring to alert on unexpected URL requests, (6) If source is identified as malicious, remove it and conduct a full security audit.
Why it's a bug
A highly suspicious obfuscated URL path 'GET https://www.houseoffraser.co.uk/kysaL0xGh/1xjKY77i_/FuAm9ty/CY/9w9JVQ9z1pYOJpOE/Pyd0AQ/ZV19e/EkPZG0B' appears in production network traffic. This pattern is characteristic of malware callback URLs, command-and-control (C2) communication, or injected malicious code. The random-looking path segments and underscores don't match legitimate application routing patterns. This indicates either: (1) malicious code injection in the application, (2) compromise of the application serving layer, or (3) malware on the user's system. This is a critical security incident requiring immediate investigation.
Why it might not be a bug
It's theoretically possible this could be legitimate application logic, though the obfuscation pattern is highly suspicious and doesn't match Next.js routing conventions used elsewhere on the site.
Suggested Fix
Immediately investigate the source of this URL request: (1) Review server logs and WAF logs for this request pattern, (2) Conduct a code audit to identify if this is generated by legitimate application code or injected maliciously, (3) Check for signs of server compromise or dependency vulnerabilities, (4) If malicious, identify and remove the injection vector, (5) Implement strict URL allowlist validation to prevent execution of unexpected paths, (6) Deploy Content Security Policy to prevent inline script execution that could generate such URLs.
Why Fix
This suspicious URL pattern could indicate active malware infection, server compromise, or code injection attacks. Failure to investigate could allow attackers to exfiltrate user data, inject malicious content, or establish persistent backdoors. This directly threatens user security and product integrity.
Route To
Security Engineer / DevSecOps / Backend Infrastructure Team
Page
Tester
Sharon ยท Security Networking AnalyzerTechnical Evidence
Console:
No console logs provided, but recommend checking browser console for JavaScript errors or warnings during the time this request was made.Network:
GET https://www.houseoffraser.co.uk/kysaL0xGh/1xjKY77i_/FuAm9ty/CY/9w9JVQ9z1pYOJpOE/Pyd0AQ/ZV19e/EkPZG0B - Status: N/A2
Akamia Bot Manager Token Endpoint Exposed in Production
HIGH P8
Prompt to Fix
Move Akamai bot management token generation from client-side to server-side implementation. The endpoint 'https://www.houseoffraser.co.uk/akam/13/2916a065' is currently exposed in client-side network traffic. (1) Create a backend API endpoint '/api/bot-token' that internally calls Akamai's bot management service, (2) Remove any client-side Akamai bot management script that makes direct calls to Akamai endpoints, (3) Have the frontend request bot tokens only from your backend endpoint before making sensitive requests, (4) Ensure the backend endpoint is rate-limited and properly authenticated, (5) Never expose Akamai endpoint patterns or token structure in client-side code, (6) Test that bot detection still functions with backend-only implementation.
Why it's a bug
The network traffic contains a request to 'GET https://www.houseoffraser.co.uk/akam/13/2916a065' which is clearly an Akamai bot management token generation endpoint. This endpoint is exposed in production network traffic, indicating that client-side code (likely JavaScript) is directly calling Akamai's bot detection API. The presence of this endpoint signature in network logs shows: (1) bot management implementation details are exposed to potential attackers, (2) the endpoint structure and token format are visible to adversaries, (3) attackers can analyze and potentially bypass bot detection mechanisms. This information disclosure weakens the bot detection security posture.
Why it might not be a bug
Bot management tokens are designed to be called from the client-side, and this is standard Akamai implementation. However, exposing the endpoint pattern and implementation details in network traffic visible to users is still an information disclosure risk.
Suggested Fix
(1) Implement bot management token generation on the backend instead of client-side, (2) Create a backend endpoint that acts as a proxy for Akamai bot detection, (3) Ensure all Akamai API calls are made server-side only, (4) Use Content Security Policy to prevent client-side bot management script execution where possible, (5) Implement additional server-side bot detection mechanisms independent of client-visible patterns, (6) Monitor for abuse of the bot management endpoint.
Why Fix
Exposing bot management implementation details allows attackers to study and potentially circumvent anti-bot protections, enabling credential stuffing, account enumeration, inventory hoarding, and other automated attacks. Moving this to server-side significantly increases the security of bot detection.
Route To
Security Engineer / Backend Engineer / Infrastructure Team
Page
Tester
Sharon ยท Security Networking AnalyzerTechnical Evidence
Console:
Check for Akamai bot management script initialization in browser console during page load.Network:
GET https://www.houseoffraser.co.uk/akam/13/2916a065 - Status: N/A3
Multiple Failed Resource Loads - DNS Resolution Errors
CRIT P9
Prompt to Fix
We have 5 ERR_NAME_NOT_RESOLVED errors in the console indicating failed resource loads. The error message is '[ERROR] Failed to load resource: net::ERR_NAME_NOT_RESOLVED'. Please: 1) Check the Network tab to identify which URLs are failing to resolve, 2) Verify all API endpoint URLs in the application config are correct and match deployed infrastructure, 3) Add comprehensive error handling that logs which specific resource failed and why, 4) Implement a retry mechanism for critical resources with exponential backoff, 5) Add user-facing error messages to inform users when resources fail to load.
Why it's a bug
Multiple ERR_NAME_NOT_RESOLVED errors indicate that the application is attempting to load resources from domains that cannot be resolved. This suggests either misconfigured API endpoints, broken resource URLs, or infrastructure issues. With 5 consecutive failures, this is likely to impact core functionality and user experience significantly. Users may experience broken features, missing assets, or failed API calls.
Why it might not be a bug
These could be transient network issues or expected fallback behaviors if the application gracefully handles missing resources. However, the repeated nature and lack of visible error recovery suggests this is a real problem.
Suggested Fix
1) Identify which specific resources are failing to resolve by checking the Network tab in DevTools. 2) Verify all API endpoints and resource URLs are correctly configured in the environment variables or config files. 3) Ensure DNS records are properly set up for any external services. 4) Add proper error handling and user-facing error messages when resources fail to load. 5) Implement retry logic with exponential backoff for critical resources.
Why Fix
Failed resource loads directly break user-facing functionality. This prevents the application from operating correctly and degrades user experience. Fixing this ensures users can access all features and data they need.
Route To
Backend/DevOps Engineer, Infrastructure Engineer
Page
Tester
Sharon ยท Security TesterTechnical Evidence
Console:
[ERROR] Failed to load resource: net::ERR_NAME_NOT_RESOLVEDNetwork:
net::ERR_NAME_NOT_RESOLVED (x5)