B84%
Quality Score
6
Pages
141
Issues
7.3
Avg Confidence
7.5
Avg Priority
31 Critical77 High32 Medium1 Low
>_ Testers.AI
AI Analysis
Next scored B (84%) with 141 issues across 7 tested pages, ranking #14 of 20 UK retail sites. That's 11 more than the 130.2 category average (35th percentile).
Top issues to fix immediately: "Multiple DNS Resolution Failures - Critical Network Issues" β 1) Identify which exact URLs are failing to resolve by adding more specific logging to the network requests; "Exposed Google Maps API Key in Client-Side Request" β Implement a server-side proxy endpoint that accepts map requests from the client and forwards them to Google Maps API...; "Exposed Google Maps API Key in Network Request" β 1) Immediately rotate and revoke the exposed API key in Google Cloud Console.
Weakest area β accessibility (5/10): Images lack visible alt text indicators, color contrast in some sections may be insufficient, and interactive elements lack cle...
Quick wins: Enhance accessibility by adding clear alt text to all images, improving color contrast ratios, and implementing visible.... Improve navigation hierarchy by making main category links more prominent in the header or adding a persistent....
Qualitative Quality
Next
Category Avg
Best in Category
Pages Tested Β· 6 screenshots
Homepage
next.co.uk
next.co.uk
next.co.uk
next.co.uk
next.co.uk
Detected Issues Β· 141 total
1
Exposed Google Maps API Key in Client-Side Request
CRIT P10
Prompt to Fix
Create a server-side endpoint '/api/maps-proxy' that accepts map initialization requests. Instead of exposing the Google Maps API key in client-side code, have the client call this endpoint which internally uses a server-restricted API key to load Google Maps. Apply API key restrictions in Google Cloud Console to only allow requests from your backend server IP and referrer next.co.uk domain. Remove the exposed API key from the client-side maps initialization and route all requests through the server proxy.
Why it's a bug
The Google Maps API key 'AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM' is exposed in a client-side GET request URL parameter. This allows anyone to extract the key from network traffic or browser DevTools, enabling unauthorized use of the Maps API under Next's account, potential quota exhaustion attacks, and billing fraud. Google Maps API keys exposed in production are high-priority security issues.
Why it might not be a bug
Google Maps API keys are sometimes intentionally exposed in client-side code as they are browser keys, but best practice is to use server-side key proxy requests or implement API key restrictions (HTTP referrer restrictions, IP restrictions) to minimize exposure risk.
Suggested Fix
Implement a server-side proxy endpoint that accepts map requests from the client and forwards them to Google Maps API using a restricted server-side API key. Alternatively, restrict the exposed key to specific HTTP referrers (next.co.uk domain only), enable Maps JavaScript API restrictions, and monitor API usage regularly.
Why Fix
Protecting API keys prevents unauthorized API usage, quota exhaustion, and unexpected billing charges. It also prevents attackers from using the key to enumerate store locations or scrape geographic data.
Route To
Backend/Infrastructure Engineer, Security Engineer
Page
Tester
Sharon Β· Security Networking AnalyzerTechnical Evidence
Console:
Google Maps API Key visible in Network tabNetwork:
GET https://maps.googleapis.com/maps/api/js?v=3&key=AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM&callback=googleMapsApiLoadCallback2
Exposed Google Maps API Key in Network Request
CRIT P10
Prompt to Fix
Your Next.co.uk codebase exposes a Google Maps API key in plaintext in the client-side JavaScript request. The key 'AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM' appears in the network request URL. Fix this critical security vulnerability by: (1) Creating a backend API endpoint that proxies Google Maps requests without exposing the key to the client, (2) Moving the API key from client-side code to a server-side environment variable, (3) Updating the client-side code to call your backend proxy instead of calling Google Maps directly with the exposed key. Provide the corrected server-side proxy code and client-side fetch call that securely accesses Google Maps through your backend.
Why it's a bug
The Google Maps API key 'AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM' is visible in plaintext in the network request URL: 'https://maps.googleapis.com/maps/api/js?v=3&key=AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM&callback=googleMapsApiLoadCallback'. This is a critical security vulnerability because: (1) the key is exposed in browser network traffic, (2) it can be harvested by attackers monitoring network requests, (3) it enables unauthorized usage of Google Maps APIs at the company's expense, (4) it violates Google's security best practices for API key management. This is a common GenAI mistake where developers hardcode credentials without implementing proper server-side proxying or environment-based key management.
Why it might not be a bug
Google Maps API keys with IP restrictions or usage limits may have reduced risk, and the key might be intended for public web use with browser restrictions enabled. However, this does not justify exposing the key in source or network trafficβproper practices still require server-side proxying or OAuth.
Suggested Fix
1) Immediately rotate and revoke the exposed API key in Google Cloud Console. 2) Implement a server-side proxy endpoint that handles Google Maps API requests without exposing the key to the client. 3) Use environment variables or a secure configuration service (AWS Secrets Manager, HashiCorp Vault) to store the key. 4) If using the key client-side, restrict it in Google Cloud Console to specific domains, HTTP referrers, and Maps API products only. 5) Consider using Google Maps Platform's web service APIs through a backend instead of the JavaScript API.
Why Fix
Exposed API keys are a critical security risk that directly enables unauthorized access to billable services and data. This can result in financial fraud, data breach, and compliance violations (GDPR, PCI-DSS). Fixing this prevents attackers from abusing the Maps API quota and protects the organization from unexpected charges.
Route To
Security Engineer / DevOps Engineer / Backend Engineer
Page
Tester
Jason Β· GenAI Code AnalyzerTechnical Evidence
Console:
N/A - visible in network requestNetwork:
GET https://maps.googleapis.com/maps/api/js?v=3&key=AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM&callback=googleMapsApiLoadCallback - Status: N/A3
Google Maps API Key Exposed in Client-Side Network Request
CRIT P9
Prompt to Fix
The Google Maps API key 'AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM' is being exposed in client-side JavaScript network requests at: https://maps.googleapis.com/maps/api/js?v=3&key=AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM. This credential must never be exposed in client-side code. Create a new backend API endpoint that handles all Google Maps requests server-to-server. The frontend should call your backend endpoint instead of calling Google Maps directly. Remove the API key from all client-side code and initialize Google Maps only through authenticated backend responses. Implement strict API key restrictions in Google Cloud Console (HTTP referrer restrictions to your domain only).
Why it's a bug
The Google Maps API key 'AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM' is exposed in plain text in the network request URL. This credential is visible to anyone inspecting network traffic and can be abused to make unauthorized requests against Next's Google Maps quota, incurring costs and potentially exposing location-based functionality. Exposed API keys are a critical security vulnerability that can lead to service abuse, cost overages, and data exposure.
Why it might not be a bug
Google Maps API keys can technically be made public if properly restricted with API constraints (domain/IP restrictions), however the exposure in client-side requests is still a security risk and violates best practices for credential handling.
Suggested Fix
Move the Google Maps API initialization to the backend. Implement a server-side endpoint that authenticates the user and returns map data or tile URLs without exposing the raw API key. Use backend-to-backend communication with Google Maps API and implement proper API key restrictions by domain and HTTP referrer.
Why Fix
Protecting API credentials prevents unauthorized access, quota abuse, potential cost overages, and maintains security posture. This is a fundamental security requirement for all API keys.
Route To
Backend Engineer / DevOps / Security Engineer
Page
Tester
Pete Β· Privacy Networking AnalyzerTechnical Evidence
Console:
Google Maps API initializationNetwork:
GET https://maps.googleapis.com/maps/api/js?v=3&key=AIzaSyBp7ukJ04Ku2k9OjqRQP0aw2S1uzW-JqTM&callback=googleMapsApiLoadCallback