B+87%
Quality Score
4
Pages
100
Issues
7.7
Avg Confidence
8.0
Avg Priority
36 Critical55 High9 Medium
>_ Testers.AI
AI Analysis
John Lewis scored B+ (87%) with 100 issues across 7 tested pages, ranking #4 of 20 UK retail sites. That's 30 fewer than the 130.2 category average (85th percentile).
Top issues to fix immediately: "Cookie consent banner blocking page content and interaction" โ Redesign the cookie consent banner to be non-blocking: either display it as a small, fixed notification at the bottom...; "Multiple critical network failures affecting page functionality" โ Investigate and resolve the underlying HTTP/2 protocol errors and API failures: (1) Check server health and HTTP/2 co...; "Console Errors Indicate Systemic Resource Loading Failures Affecting P" โ Conduct immediate infrastructure diagnostics: (1) Review HTTP/2 protocol configuration on server; investigate why mul....
Weakest area โ accessibility (6/10): Basic accessibility present but areas for improvement include contrast ratios, alt text clarity, and keyboard navigation indica...
Quick wins: Improve color contrast ratios throughout, particularly in secondary text and navigation elements. Add more descriptive alt text to all product images for screen reader users.
Qualitative Quality
John Lewis
Category Avg
Best in Category
Pages Tested ยท 4 screenshots
Homepage
johnlewis.com
johnlewis.com
johnlewis.com
Detected Issues ยท 100 total
1
Sensitive Device Fingerprinting Data (monetateId, cookiePermissions) Exposed in Network Logs
CRIT P9
Prompt to Fix
Privacy audit finding: Device fingerprinting data (monetateId, cookiePermissions, deviceType, correlationId) is being logged to the browser console in error handling code. This violates privacy regulations and exposes user tracking data. Please: (1) Locate all console.log/error/warn statements in the recommendations API code, (2) Remove any statements that log monetateId, cookiePermissions, deviceType, correlationId, or categoryId, (3) Replace with generic error messages like 'Recommendations API failed: [error type]' with no data payload, (4) If detailed logging is needed for debugging, implement server-side logging that requires authentication, (5) Add a code review rule to prevent logging of fingerprinting data in the future. Ensure no PII or device identifiers are exposed client-side.
Why it's a bug
The Monetate API request payload is logged to console with complete device fingerprinting data: monetateId (persistent user identifier), deviceType, and cookiePermissions state. This data enables user tracking and profiling across sessions. AI-generated code frequently over-logs debug data without considering privacy implications. The monetateId appears to be a persistent identifier (format suggests timestamp component: 5.8821943.1773675517304) that could be used to profile users across time and contexts.
Why it might not be a bug
Monetate is a legitimate service and these parameters may be necessary for API function. However, logging them to console violates privacy best practices regardless of service legitimacy.
Suggested Fix
(1) Remove console.log statements that output monetateId, cookiePermissions, or device fingerprinting data, (2) If debugging is needed, use non-console logging (server-side logging with authentication/encryption), (3) Implement data masking if any logging is necessary (e.g., only log first 4 chars of monetateId as 5.88***), (4) Add privacy audit to all API request code to ensure no PII or fingerprinting data is logged client-side.
Why Fix
Exposing device fingerprinting data in console violates GDPR, CCPA, and similar privacy regulations. Users can inspect browser console and discover they're being tracked. This creates legal liability and damages trust.
Route To
Privacy Engineer, Security Engineer, Frontend Engineer
Page
Tester
Jason ยท GenAI Code AnalyzerTechnical Evidence
Console:
[ERROR] Recommendations: Fetch error. Failed to fetch | data: {"placements":["OSPHomePage1"],"categoryId":"6000670128","deviceType":"Desktop","monetateId":"5.8821943.1773675517304","cookiePermissions":{"functional":false,"personalisation":false},"correlationId":"eb694a07-c441-4156-899d-c9c087900983"}Network:
GET https://se.monetate.net/js/2/a-76ca7dd3/p/johnlewis.com/entry.js - Status: N/A2
Sensitive User & Tracking Data Exposed in Console Logs
CRIT P9
Prompt to Fix
We have a security issue where sensitive user tracking identifiers (monetateId, correlationId, and experiment IDs) are being exposed in console logs during API error handling. Create a logging utility function that sanitizes error objects before they are logged to the console. This function should: 1) Accept an error object or data payload, 2) Identify and redact sensitive fields like 'monetateId', 'correlationId', and any field containing experiment IDs, 3) Return a safe version of the data for logging that replaces sensitive values with placeholders like '[REDACTED]'. Apply this sanitization to the Recommendations API error handler and any other API error handlers that might log user-identifying data. Ensure sensitive identifiers are only logged at debug levels in backend systems, not in production console output.
Why it's a bug
The console logs contain sensitive tracking and user identification data including monetateId ('5.8821943.1773675517304'), correlationId ('eb694a07-c441-4156-899d-c9c087900983'), experiment IDs ('KP-AA-Test-EXP1651_2099845', 'JL-Client-Side-Full_1633107'), and device/category classification data. This data is logged in error messages related to the Recommendations API fetch failure. If console logs are captured, stored, or transmitted to logging services without proper sanitization, this information could be used for user tracking, session correlation, or identifying patterns in A/B testing configurations. This violates privacy principles and could expose user behavioral data.
Why it might not be a bug
This data could be considered part of normal API request/response logging that developers need for debugging. However, the presence of correlationIds and monetateIds (user tracking identifiers) in production console logs that are visible to users and potentially captured by monitoring tools represents unnecessary exposure of tracking infrastructure.
Suggested Fix
Implement console log sanitization that filters out sensitive identifiers from error messages before logging. Create a logging utility that redacts or hashes monetateId, correlationId, and experiment identifiers. Ensure that API error responses containing user-identifying data are logged only at debug levels (not exposed in production), and that any error messages shown to users or captured by monitoring tools are stripped of tracking identifiers. Use structured logging to separate debug data (for backend analysis) from user-facing errors.
Why Fix
Preventing exposure of user tracking identifiers and correlation IDs protects user privacy, prevents unauthorized session tracking, and reduces the surface area for attack vectors that rely on identifying and correlating user sessions across systems. This aligns with privacy regulations (GDPR, CCPA) and security best practices.
Route To
Backend/Security Engineer, Logging Infrastructure Engineer
Page
Tester
Sharon ยท Security Console Log AnalyzerTechnical Evidence
Console:
[ERROR] Recommendations: Fetch error. Failed to fetch | data: {"placements":["OSPHomePage1"],"categoryId":"6000670128","deviceType":"Desktop","monetateId":"5.8821943.1773675517304","cookiePermissions":{"functional":false,"personalisation":false},"correlationId":"eb694a07-c441-4156-899d-c9c087900983"}Network:
Recommendations API fetch error with monetateId and correlationId exposed3
User Tracking Identifier and Device Fingerprinting Data Exposed in Console Logs
CRIT P9
Prompt to Fix
We have a critical privacy violation where sensitive user tracking identifiers are being exposed in browser console logs. The Recommendations API error handler is logging the complete request payload including: monetateId (third-party tracking ID), correlationId (session identifier), deviceType (device fingerprinting), and cookiePermissions state. This data is visible to any user opening developer tools. Please implement a logging sanitization function that removes or redacts all PII and tracking identifiers (monetateId, correlationId, deviceType, cookiePermissions) from console error messages. The function should filter these fields before the error is logged to console.error(). Server-side logging can retain full data for debugging, but client-side console output must never expose these identifiers. This is required for GDPR/CCPA compliance.
Why it's a bug
The Recommendations API error log explicitly exposes sensitive user tracking and profiling data in console output: monetateId ('5.8821943.1773675517304'), correlationId ('038dc0d5-f52d-4250-8302-83a890103881'), deviceType ('Desktop'), and cookie permission states. This data is logged in plain text to the browser console, where it can be accessed by users, browser extensions, or anyone with console access. These identifiers enable user tracking, profiling, and cross-session identification. The monetateId is a third-party tracking identifier that violates user privacy expectations and potentially violates GDPR/CCPA regulations by exposing behavioral tracking data without explicit user consent signals.
Why it might not be a bug
This could be dismissed as debug logging that is only visible to developers or technical users. However, console logs are accessible to any user opening developer tools, and this data should never be exposed regardless of audience.
Suggested Fix
Remove or redact all sensitive tracking identifiers, correlation IDs, and device fingerprinting data from console logs. Implement a logging filter that strips monetateId, correlationId, deviceType, and cookiePermissions from error messages before they reach console output. If debugging is necessary, use server-side logging instead of client-side console exposure.
Why Fix
Exposing tracking identifiers and device fingerprinting data in console logs violates privacy principles and regulatory compliance (GDPR Article 32, CCPA ยง1798.100). Users can easily access this data via browser dev tools, enabling malicious actors to track users, impersonate sessions, or profile user behavior. This is a clear data protection violation.
Route To
Privacy Engineer / Data Protection Officer / Backend API Team Lead
Page
Tester
Pete ยท Privacy Console Log AnalyzerTechnical Evidence
Console:
[ERROR] Recommendations: Fetch error. Failed to fetch | data: {"placements":["OSPHomePage1"],"categoryId":"6000670128","deviceType":"Desktop","monetateId":"5.8821943.1773675517304","cookiePermissions":{"functional":false,"personalisation":false},"correlationId":"038dc0d5-f52d-4250-8302-83a890103881"}Network:
Recommendations API fetch failure with exposed tracking payload