B84%
Quality Score
4
Pages
55
Issues
8.1
Avg Confidence
8.1
Avg Priority
23 Critical27 High5 Medium
>_ Testers.AI
AI Analysis
Creativable De was tested and 55 issues were detected across the site. The most critical finding was: Third-Party Telemetry to Sentry Exposes Potential PII. Issues span Security, Legal, A11y, Performance categories. Persona feedback rated Visual highest (8/10) and Accessibility lowest (5/10).
Qualitative Quality
Creativable De
Category Avg
Best in Category
Pages Tested · 4 screenshots
Homepage
lovable.dev.products.creativable
lovable.dev.products.creativable
lovable.dev.products.creativable
Detected Issues · 55 total
1
Third-Party Telemetry to Sentry Exposes Potential PII
CRIT P9
Prompt to Fix
In your Next.js app's Sentry setup, implement data minimization: (1) Add a beforeSend(event) hook that removes sensitive fields from events, e.g., if (event.user) { delete event.user.email; delete event.user.username; delete event.user.name; delete event.user.id; } (2) Ensure IP addresses are not sent by setting sendDefaultPii: false and removing event.ip or any IP fields from the event. (3) Remove or scrub any cookies or sensitive headers from event.request. (4) Implement explicit user consent or opt-out for telemetry and conditionally enable Sentry only after consent. (5) If possible, enable server-side privacy controls or a private telemetry endpoint to avoid sending data to third-party domains in production by default.
Why it's a bug
There is a POST to a Sentry ingestion endpoint (third-party). Without payload details, the telemetry could include user identifiers, session data, or other PII. This constitutes sharing user data with a third-party service without explicit user consent or clear disclosure, raising regulatory and trust concerns.
Why it might not be a bug
Telemetry is common for error monitoring. If the data sent is strictly non-PII and IPs are anonymized, and users have consent or opt-out, it may not be a bug. However, current logs do not show payload, so high risk remains until confirmed or mitigated.
Suggested Fix
Configure Sentry integration to minimize data exposure: implement a beforeSend hook to scrub PII from events, disable sending of default PII (set sendDefaultPii to false), and ensure IP addresses are anonymized. Remove or redact fields like user.email, user.username, user.name, user.id, and any identifiable query/request data. Add a clear user consent mechanism and an opt-out option for telemetry. Consider using a private/controlled telemetry endpoint or disabling Sentry in non-production environments unless consent is explicitly given.
Why Fix
Reducing third-party data exposure protects user privacy, helps comply with data protection regulations, and preserves user trust. Limiting PII in telemetry prevents accidental leakage of sensitive information to external services.
Route To
Privacy Engineer / Security Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Network:
POST https://o4506071217143808.ingest.us.sentry.io/api/4506071220944896/envelope/?sentry_version=7&sentry_key=58ff8fddcbe1303f19bc19fbfed46f0f&sentry_client=sentry.javascript.nextjs%2F10.28.02
Exposure of Sentry ingestion key in URL query parameters
CRIT P9
Prompt to Fix
In your frontend Sentry integration, remove the sentry_key query parameter from the DSN and ensure the DSN is loaded from a secure environment variable. Do not hard-code or expose credentials in client code or network requests. Example fix: // In Next.js (client-side only) ensure SENTRY_DSN is provided from process.env and initialize Sentry with Sentry.init({ dsn: process.env.SENTRY_DSN, tracesSampleRate: 1.0 }); Ensure the build pipeline does not log full URLs or DSNs. If you must test ingestion, use a public DSN for the client and a separate private DSN only on server-side error reporting. Add a unit/integration test to verify that network calls do not include sentry_key in query strings and that the server never logs such sensitive parameters.
Why it's a bug
The network trace shows a POST to the Sentry ingestion endpoint that includes a sensitive key in the query string (sentry_key=58ff8fddcbe1303f19bc19fbfed46f0f). Exposing credentials in URLs can leak through browser history, logs, and referer headers, enabling misuse or unauthorized ingestion of events.
Why it might not be a bug
If this key is a public DSN key used by Sentry, it is expected to be exposed in client code and is not a secret. The real risk arises only if the key is a private ingestion secret. Confirm whether the key is public; if so, this is not a vulnerability, but best practices still advise not exposing any keys in URLs.
Suggested Fix
Verify whether the DSN in use is a public or private key. If it is private, rotate to a new public DSN and configure the Sentry SDK to read DSN from an environment variable without exposing keys in URLs. Remove the sentry_key parameter from client requests and ensure the DSN is loaded server-side or via environment config (e.g., SENTRY_DSN). Do not log URLs containing credentials. Consider using a backend proxy to forward events if needed.
Why Fix
Prevent potential credential leakage through logs, browser history, and referer headers. Even if DSN is public, minimizing exposure reduces risk and aligns with security best practices. Prevents misuse by attackers attempting unauthorized event ingestion.
Route To
Security Engineer
Page
Tester
Sharon · Security Networking Analyzer
Technical Evidence
Network:
POST https://o4506071217143808.ingest.us.sentry.io/api/4506071220944896/envelope/?sentry_version=7&sentry_key=58ff8fddcbe1303f19bc19fbfed46f0f&sentry_client=sentry.javascript.nextjs%2F10.28.03
Sentry DSN exposed in query parameter (sentry_key) during client-side error reporting
CRIT P9
Prompt to Fix
Review the frontend Sentry initialization to ensure no secret keys are exposed in the client. If the DSN is public, keep it as public DSN and remove any secret tokens from the URL. If a private key is used, implement error reporting via a backend proxy and remove the private key from client-side code. Rotate credentials if necessary. Enforce CORS restrictions and monitor for unexpected ingestion requests.
Why it's a bug
A network request to the Sentry ingestion endpoint includes a sentry_key in the query string. Exposing keys in URLs can be logged by browsers, intermediaries, analytics tools, or referrers, potentially enabling misuse or misattribution of events. Even if this key is the public DSN, best practices discourage exposing any credentials in URLs and warrant validation that no secret is exposed.
Why it might not be a bug
Sentry public DSNs are designed to be public for client-side error reporting. The key in the URL appears to be a public key rather than a secret; however, exposure in any URL could still be logged or misused in edge cases. If this is confirmed as a public DSN, the risk is minimal but still worth noting for best practices.
Suggested Fix
Confirm whether the key is intended to be public. If it is, ensure the DSN used in the frontend is the public DSN and avoid including any secret keys in query strings. If a private key is being used, switch to a server-side error reporting flow or proxy, and rotate credentials. Implement CSP/origin restrictions on the Sentry project and consider removing sensitive query parameters from logs and referrers.
Why Fix
Removing or properly securing credentials in URLs reduces risk of credential leakage through logs, browser history, or third-party analytics, and aligns with secure-by-default practices for third-party integrations.
Route To
Security Engineer
Page
Tester
Sharon · Security Networking Analyzer
Technical Evidence
Console:
POST to Sentry ingestion endpoint with sentry_key in query string; third-party domain involved; potential exposure in logs or headersNetwork:
POST https://o4506071217143808.ingest.us.sentry.io/api/4506071220944896/envelope/?sentry_version=7&sentry_key=58ff8fddcbe1303f19bc19fbfed46f0f&sentry_client=sentry.javascript.nextjs%2F10.28.0 - Status: N/A