C+79%
Quality Score
6
Pages
103
Issues
8.0
Avg Confidence
7.9
Avg Priority
37 Critical52 High14 Medium
>_ Testers.AI
AI Analysis
Minecraftforfreex was tested and 103 issues were detected across the site. The most critical finding was: PII-like Tracking Identifier Exposed in Google Analytics Requests. Issues span Security, A11y, Performance, Other categories. Persona feedback rated Design highest (5/10) and Accessibility lowest (3/10).
Qualitative Quality
Minecraftforfreex
Category Avg
Best in Category
Pages Tested · 6 screenshots
Homepage
minecraftforfreex.com.eaglercraft.
minecraftforfreex.com.eaglercraft.
minecraftforfreex.com.eaglercraft.
minecraftforfreex.com.eaglercraft.
minecraftforfreex.com.eaglercraft.
Detected Issues · 103 total
1
PII-like Tracking Identifier Exposed in Google Analytics Requests
CRIT P9
Prompt to Fix
Audit all client-side analytics calls (GA4/Universal Analytics) for exposure of client identifiers in URLs (cid) and any other PII-like tokens. Implement consent gating before loading analytics scripts. Remove or mask cid in all client requests. Enable IP anonymization where applicable. Update privacy policy and CMP prompts to clearly disclose analytics collection and third-party sharing. Provide a minimal data collection configuration that emphasizes privacy (e.g., disable personalization by default, restrict data retention).
Why it's a bug
Google Analytics requests include a client identifier (cid) in query strings and analytics payloads (e.g., cid=721357161.1774522430). This is a persistent, unique user identifier that facilitates cross-site/user profiling. There is no clear consent gating demonstrated for analytics collection in the provided activity, violating data minimization and user privacy expectations.
Why it might not be a bug
Analytics is common for site metrics; if a consent mechanism were in place and privacy policy disclosed this usage, it could be acceptable. However, no explicit consent gating is evident in the provided data, making it a high-risk privacy issue.
Suggested Fix
Gate analytics scripts behind a explicit consent mechanism (CMP). Do not send client identifiers or personal-like IDs until consent is granted. Consider anonymizing IPs and configuring GA4 with privacy-focused settings (e.g., anonymize_ip, reduced data retention). Prefer first-party analytics with server-side processing where possible and remove or obfuscate cid from client requests.
Why Fix
Protect user privacy, comply with data protection regulations, and reduce cross-site tracking risk. Improves user trust and reduces potential regulatory exposure.
Route To
Privacy Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Console:
POTENTIAL ISSUE: Tracking request detectedNetwork:
GET https://www.google-analytics.com/analytics.js; POST https://www.google-analytics.com/j/collect?v=1&_v=j102&a=1142950602&t=pageview&_s=1&dl=https%3A%2F%2Fminecraftforfreex.com%2Feaglercraft%2F&ul=en-us&dt=Eaglercraft&sr=800x600&vp=1920x1080&_u=IEBAAEABAAAAACAAI~&jid=725220773&gjid=1842816513&cid=721357161.1774522430&_gid=1270094844.1774522430&_r=1&_slc=1&z=1476132718; POST https://analytics.google.com/g/collect?v=2&tid=G-80SFHYWE59&cid=721357161.1774522430&_p=1774522429531&_gaz=1&dl=https%3A%2F%2Fminecraftforfreex.com%2Feaglercraft%2F&dt=Eaglercraft&en=page_view&_fv=1&_ss=1&_ee=1&tfd=8052
Unconsented third-party analytics & ads tracking on site
CRIT P9
Prompt to Fix
In code, wrap all Google Analytics, Tag Manager, and Ads scripts loading behind a consent check. Add a CMP that records explicit consent for analytics/advertising cookies. Enable IP anonymization (e.g., set anonymize_ip = true in GA) and disable personalization. Do not send DoNotTrack-agnostic data until consent is granted. Provide a clear privacy policy update explaining data flows to Google services and third-party sharing. Implement a mechanism to opt out of tracking retroactively for previously captured data.
Why it's a bug
The page loads Google Analytics, Google Tag Manager, and Google Ads/DoubleClick endpoints, transmitting navigation data (URL, page title), user agent hints, screen size, and viewport information to third parties without clear evidence of a user consent flow in logs. This constitutes cross-site tracking and data sharing with analytics/advertising networks, which can violate privacy regulations if not consented.
Why it might not be a bug
If a privacy-compliant consent management platform (CMP) is in place and analytics/ads scripts only load after user consent, this would be expected behavior. The provided logs do not show any consent prompt or CMP activity, suggesting consent may be missing, which is a privacy risk rather than a mitigated case.
Suggested Fix
Implement a consent banner CMP and defer all third-party analytics/ads until explicit user consent is given. Enable IP anonymization in analytics, respect Do Not Track, and consider loading tags lazily after consent. Remove or obfuscate unnecessary data in requests (e.g., avoid sending detailed page data to third parties unless required).
Why Fix
Restores user privacy, reduces regulatory risk (GDPR/CCPA), and improves user trust by ensuring tracking only occurs with explicit consent.
Route To
Privacy Engineer / Frontend Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Console:
⚠️ POTENTIAL ISSUE: Tracking request detectedNetwork:
POST https://www.google-analytics.com/j/collect?...tid=UA-70337607-1 (analytics hit with page URL, title, and device params); GET https://www.google-analytics.com/analytics.js; GET https://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-6919167857759480; GET https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6919167857759480&url=https%3A%2F%2Fminecraftforfreex.com%2F3
Excessive AI endpoint usage detected on page load
CRIT P9
Prompt to Fix
Audit all client-side AI/LLM invocations and remove any on-load calls. Move AI logic behind a consent-gating UI. Implement a single, server-side AI endpoint with strict data-handling controls. Add feature flags and run a security/privacy review before shipping.
Why it's a bug
The console shows repeated AI/LLM endpoint detections (⚠️ AI/LLM ENDPOINT DETECTED) indicating that multiple AI calls are being triggered during page load, potentially leaking user data and causing performance issues without explicit user consent.
Why it might not be a bug
If AI calls are essential for content, they should be explicitly user-consented and gated; otherwise they degrade UX and raise privacy concerns.
Suggested Fix
Delay or gate all AI/LLM calls behind explicit user action or a clear consent banner; consolidate calls to a single, well-guarded backend endpoint; implement feature flags and lazy-load AI features only after user opt-in.
Why Fix
Reduces privacy risk, improves performance, and aligns with best practices for user consent when invoking AI services from the client.
Route To
Frontend Engineer / Privacy/Security Engineer
Page
Tester
Jason · GenAI Code Analyzer
Technical Evidence
Console:
[⚠️ AI/LLM ENDPOINT DETECTED]Network:
GET https://www.googletagmanager.com/gtag/js?id=G-80SFHYWE59 - Status: N/A