Strava
www.strava.com
App Quality Report
Powered by Testers.AI
B+89%
Quality Score
10
Pages
148
Issues
8.0
Avg Confidence
7.9
Avg Priority
66 Critical60 High21 Medium1 Low
Testers.AI
>_ Testers.AI AI Analysis

Strava scored B+ (89%) with 148 issues across 7 tested pages, ranking #2 of 8 Testlio portfolio apps. That's 51 fewer than the 199.2 category average (50th percentile).

Top issues to fix immediately: "Header login CTA too subtle on white header" Increase visual prominence of the login CTA: use a darker background color or outline with a stronger hover/focus state; "DNS resolution failures prevent loading of critical resources (ERR_NAM" Audit all external resource URLs for correctness and availability; "FedCM get() TypeError: provided value 'widget' is not a valid Identity" Update the credential request to use a valid IdentityCredentialRequestOptionsMode value or omit mode if optional.

Weakest area accessibility (6/10): Potential gaps in keyboard navigation and color-contrast considerations; alt text for imagery not visible in this view; needs m...

Quick wins: Improve keyboard accessibility and ensure all images have descriptive alt text; verify color contrast ratios for text.... Add language/localization options and region-specific content to broaden appeal and clarity of benefits.

Qualitative Quality
Strava
Category Avg
Best in Category
Issue Count by Type
Content
34
UX
16
A11y
14
Visual
5
Security
5
Pages Tested · 10 screenshots
Screenshot
Homepage
Screenshot
www.strava.com
Screenshot
www.strava.com
Screenshot
www.strava.com
Screenshot
www.strava.com
Screenshot
www.strava.com
Screenshot
www.strava.com
Screenshot
www.strava.com
Screenshot
www.strava.com
Screenshot
www.strava.com
Detected Issues · 148 total
1
Unconsented third-party trackers on Strava landing pages (Facebook Pixel, Reddit Pixel, GTM)
CRIT P9
Conf 9/10 Other
Prompt to Fix
Actionable fix for the privacy issue: 1) Remove all immediate third-party tracker initializations from the landing page markup. 2) Integrate a dynamic loader that reads user consent from Cookiebot CMP (or equivalent) and only then loads tracker scripts (Facebook Pixel, Reddit Pixel, GTM, Snowplow). 3) Ensure no data is transmitted to third parties prior to consent (disable all beacon/cookie-based data transmissions until consent). 4) Provide explicit consent categories and ensure CMP state is respected across all trackers, including Snowplow TP2 endpoint. 5) Test in multiple scenarios (consent given, denied, and default). 6) Add unit/integration tests to verify trackers do not fire before consent and that consent signals are correctly respected.
Why it's a bug
Multiple external tracking services are loaded from third-party domains (Facebook, Reddit, Google Tag Manager, Snowplow). Without clear, user-visible consent gating, these trackers can collect behavioral data across sites, enabling profiling and cross-site tracking, which undermines user privacy and may violate applicable data protection regulations.
Why it might not be a bug
Consent management platforms (e.g., Cookiebot) appear present, which may gate trackers until consent is given. If trackers are strictly loaded only after explicit user consent and proper categorization, this would not constitute a bug. The provided data does not confirm consent state for all trackers at load time.
Suggested Fix
Gate all third-party trackers behind explicit user consent. Move tracker initializations (Facebook Pixel, Reddit Pixel, Google Tag Manager, Snowplow) to load only after the user has granted consent via the CMP. Remove or lazy-load inline tracker scripts on initial page load and replace with a consent-aware loader that subscribes to CMP state. Ensure no data, especially any PII, is sent to third parties before consent. Configure CMP to provide clear consent categories (e.g., Marketing, Personalization) and enforce those states across all trackers.
Why Fix
prevents unintended data collection, aligns with privacy best practices, improves user trust, and reduces risk of regulatory non-compliance related to unconsented tracking across sites.
Route To
Frontend/Privacy Engineer
Page
Hiking App - Explore Hiking Trails, Tracking (GPS) & Share | Strava
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Console: ⚠️ POTENTIAL ISSUE: Tracking request detected
Network: https://connect.facebook.net/en_US/fbevents.js; https://www.redditstatic.com/ads/pixel.js; https://www.googletagmanager.com/gtm.js?id=GTM-TP845S&l=googleTagManagerDataLayer; https://www.googletagmanager.com/gtag/js?id=G-12345&l=googleTagManagerDataLayer; POST https://c.strava.com/com.snowplowanalytics.snowplow/tp2
2
CORS blocked font resource from CloudFront
CRIT P9
Conf 9/10 SecurityOther
Prompt to Fix
Audit the CloudFront distribution serving the Boathouse font asset. Ensure CORS headers are configured to allow the production Strava origin (https://www.strava.com) in font responses. Add Access-Control-Allow-Origin with the appropriate origin or * if policy permits, and include Vary: Origin. Verify font MIME types and caching behavior. After changes, reload the page to confirm the font loads without CORS errors.
Why it's a bug
The font file loaded from a CloudFront domain is blocked due to missing Access-Control-Allow-Origin header. This indicates a cross-origin resource sharing misconfiguration that prevents the font from loading, which can degrade UI rendering and typography consistency. While not exposing secrets, this directly impacts user experience and indicates a broader CORS handling issue for assets.
Why it might not be a bug
If the asset is intentionally restricted cross-origin for security, it would be acceptable; however, fonts are commonly allowed cross-origin access for a site’s own origins. In this context, the failure to load a font from a CDN is typically a misconfiguration rather than a deliberate security barrier.
Suggested Fix
Configure the CDN (CloudFront) to serve the font with appropriate CORS headers. Set Access-Control-Allow-Origin to https://www.strava.com (or to * if allowed by policy) and include Vary: Origin. Ensure the font file is publicly accessible with correct MIME types and no authorization requirements. Validate that the origin loading the font is exactly the production Strava domain.
Why Fix
Restores proper typography rendering, reduces visual layout shifts, and eliminates console CORS errors that can confuse users and degrade trust. Fixing asset CORS improves reliability of UI rendering and reduces user-facing fragility.
Route To
Frontend/Platform Security Engineer
Page
Strava Subscription
Tester
Sharon · Security Console Log Analyzer
Technical Evidence
Console: Access to font at 'https://d3nn82uaxijpm6.cloudfront.net/assets/boathouse/Boathouse-Light-ea6efd49dcf4fbc9c0517e6977c97d49ecd6b1ee37d834548ca03d44a3bda882.woff2' from origin 'https://www.strava.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Network: https://d3nn82uaxijpm6.cloudfront.net/assets/boathouse/Boathouse-Light-ea6efd49dcf4fbc9c0517e6977c97d49ecd6b1ee37d834548ca03d44a3bda882.woff2
3
CORS blocked GTM analytics fetch from Strava origin
CRIT P9
Conf 9/10 SecurityOther
Prompt to Fix
Audit the GTM/collect endpoint to ensure cross-origin requests from https://www.strava.com are allowed. Add appropriate CORS headers (Access-Control-Allow-Origin with the Strava origin or * per policy), include Vary: Origin, and ensure credentials handling aligns with the endpoint’s requirements. If cross-origin analytics is not intended, migrate to a same-origin integration or proxy strategy. Validate changes by reloading the page and confirming the fetch completes without CORS errors.
Why it's a bug
The GTM collect request to an App Engine/GT M endpoint is blocked due to missing Access-Control-Allow-Origin header. This prevents analytics data from being sent and can lead to incomplete metrics. It also reveals a cross-origin policy misconfiguration on the analytics endpoint.
Why it might not be a bug
Some deployments intentionally restrict third-party analytics cross-origin access; however, for a first-party analytics workflow like GTM, allowing proper CORS is standard practice to ensure reliable data collection unless a deliberate proxy is used. The current behavior reduces data fidelity.
Suggested Fix
Configure the GTM/collect endpoint to respond with appropriate CORS headers (e.g., Access-Control-Allow-Origin: https://www.strava.com or a permissive policy with Vary: Origin). Ensure the response headers permit the requesting origin and that credentials are handled correctly if needed. Alternatively, host analytics code on the same origin or implement a server-side proxy to avoid cross-origin calls.
Why Fix
Enables reliable data collection for analytics, reducing data gaps and ensuring accurate user insights. Proper CORS configuration also mitigates cross-origin request failures that degrade measurement and potentially obscure critical product metrics.
Route To
Backend/Platform Security Engineer
Page
Strava Subscription
Tester
Sharon · Security Console Log Analyzer
Technical Evidence
Console: Access to fetch at 'https://gtm-strava-c81694537.appspot.com/g/collect?v=2&tid=G-12345&gtm=45je63g1z871715255za20gzb71715255zd71715255&_p=1773789565776&gcs=G111&gcd=13r3r3r3r5l1&npa=0&dma=0&gdid=dMWZhNz&cid=751821140.1773789525&ecid=1625339401&ul=en-us&sr=800x600&_fplc=0&ur=US-WA&uaa=&uab=&uafvl=&uamb=0&uam=&uap=&uapv=&uaw=0&are=1&frm=0&pscdl=noapi&_eu=AAAAAAQ&sst.rnd=1788710205.1773789566&sst.us_privacy=1---&sst.tft=1773789565776&sst.lpc=53990762&sst.navt=n&sst.ude=0&sst.sw_exp=1&_s=1&tag_exp=103116026~103200004~115616985~115938466~115938468~116024733~117484252&sid=1773789527&sct=1&seg=1&dl=https%3A%2F%2Fwww.strava.com%2Ffeatures&dt=Strava%20Subscription&_tu=DA&en=page_view&ep.event_id=17737895661010.2072066568333304&tfd=918&richsstsse' from origin 'https://www.strava.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Network: https://gtm-strava-c81694537.appspot.com/g/collect?v=2&tid=G-12345&gtm=45je63g1z871715255za20gzb71715255zd71715255&_p=1773789565776&gcs=G111&gcd=13r3r3r3r5l1&npa=0&dma=0&gdid=dMWZhNz&cid=751821140.1773789525&ecid=1625339401&ul=en-us&sr=800x600&_fplc=0&ur=US-WA&uaa=&uab=&uafvl=&uamb=0&uam=&uap=&uapv=&uaw=0&are=1&frm=0&pscdl=noapi&_eu=AAAAAAQ&sst.rnd=1788710205.1773789566&sst.us_privacy=1---&sst.tft=1773789565776&sst.lpc=53990762&sst.navt=n&sst.ude=0&sst.sw_exp=1&_s=1&tag_exp=103116026~103200004~115616985~115938466~115938468~116024733~117484252&sid=1773789527&sct=1&seg=1&dl=https%3A%2F%2Fwww.strava.com%2Ffeatures&dt=Strava%20Subscription&_tu=DA&en=page_view&ep.event_id=17737895661010.2072066568333304&tfd=918&richsstsse
+145
145 more issues detected  View all →
AI/LLM endpoint called on page load causing potential perfor...
AI/LLM Endpoint calls detected on page load
CORS policy blocks cross-origin fetch due to missing Access-...
and 142 more...
Animated Demo → Competitive Grid → Category Report →
Generated by Testers.AI · Strava Quality Scan
Unlock All 148 Issues
You're viewing the top 3 issues for Strava.
Sign up at Testers.AI to access the full report with all 148 detected issues, detailed fixes, and continuous monitoring.
Sign Up at Testers.AI or let us run the tests for you