B85%
Quality Score
7
Pages
77
Issues
7.8
Avg Confidence
7.6
Avg Priority
30 Critical28 High19 Medium
>_ Testers.AI
AI Analysis
Testri.De was tested and 77 issues were detected across the site. The most critical finding was: PII exposure via user-name-coded asset URLs. Issues span Performance, A11y, Other, UX categories. Persona feedback rated Visual highest (7/10) and Accessibility lowest (5/10).
Qualitative Quality
Testri.De
Category Avg
Best in Category
Pages Tested · 7 screenshots
Homepage
testri.de
testri.de
testri.de
testri.de
testri.de
testri.de
Detected Issues · 77 total
1
PII exposure via user-name-coded asset URLs
CRIT P9
Prompt to Fix
Identify asset URLs that include personal names (e.g., /images/steffen-profile.webp, /images/steffen-icon-trans-bw-100px.webp). Replace with non-identifying paths (e.g., /images/profiles/{id}.webp or /images/user-{id}-profile.webp) and serve images via a backend endpoint that takes a non-identifying userID. Strip or mask user-identifying segments from logs and referer headers. Update the build to generate hashed asset names or use a content-addressable storage approach. Ensure all references to user assets use the non-identifying URL scheme and implement automated checks to prevent future PII in asset paths.
Why it's a bug
Asset URLs contain a personal name (e.g., steffen-profile.webp, steffen-icon-trans-bw-100px.webp). This reveals user identity in network requests, logs, and potentially referer headers when the assets are fetched, enabling basic user profiling or leakage of personal data through logs and analytics.
Why it might not be a bug
If the filenames are purely static placeholders used for demonstrative content and are not tied to real users, risk is lower. However, any real user name appearing in asset paths can still leak PII through logs and third-party analytics and should be treated as a privacy concern.
Suggested Fix
1) Remove real names from asset filenames and paths (e.g., use hashed IDs or generic placeholders like user-123-profile.webp). 2) Serve user images via an API endpoint that accepts a non-identifying ID and returns the image, rather than embedding the username in the URL. 3) Configure server/logging to redact or mask identifiers in URL paths and Referer headers. 4) Consider using a CDN with per-tenant hashed paths and strict referer/log redaction. 5) Audit all asset URLs for potential PII leakage and implement automated checks to prevent embedding user-identifying strings in asset paths.
Why Fix
Reducing exposure of personal identifiers in network requests minimizes data leakage risk, supports data minimization principles, and helps comply with privacy regulations (e.g., GDPR/CCPA) by preventing user identity from appearing in logs and analytics tooling.
Route To
Privacy Engineer / Frontend Security Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Network:
GET https://testri.de/images/steffen-profile.webp; GET https://testri.de/images/steffen-icon-trans-bw-100px.webp2
AI/LLM endpoint called on initial page load (no user interaction)
CRIT P9
Prompt to Fix
Refactor the app so that all AI/LLM endpoint calls are strictly lazy-loaded and only triggered by explicit user actions. Remove on-load calls, add a consent/feature-flag gate, and implement a loading skeleton while awaiting user interaction.
Why it's a bug
Network logs indicate an AI/LLM endpoint is detected during the initial load, suggesting an LLM API is invoked before any user action. This can degrade performance, increase latency, reveal prompts, and surprise users.
Why it might not be a bug
If the AI call is essential for initial rendering, it may be justified; however, the evidence shows detection without user action, which is generally undesirable.
Suggested Fix
Defer AI/LLM API calls until explicit user action or consent. Implement lazy-loading or feature flags to control AI usage, and ensure UI rendering does not trigger AI calls on first paint.
Why Fix
Improves performance, privacy, and user trust by avoiding unexpected AI calls at page load.
Route To
Frontend Engineer / Performance Engineer
Page
Tester
Jason · GenAI Code Analyzer
Technical Evidence
Console:
⚠️ AI/LLM ENDPOINT DETECTEDNetwork:
GET https://testri.de/#main-content - Status: 200; GET https://testri.de/_app/immutable/entry/start.FvU3edLL.js - Status: N/A3
Truncated/unfinished className string in button element (AI-generated code artifact)
CRIT P9
Prompt to Fix
Inspect the Page Content JSON and fix the truncated button entry. Ensure the button object has a properly formed text value, a valid JSON string for className (complete and closed), and that all JSON braces are balanced. Example fix: replace the broken segment with a complete entry such as {"text":"","tagName":"BUTTON","type":"submit","id":"","className":"absolute -left-2 sm:left-0 top-1/2 -translate-y-1/2 flex items-center justify-center p-2","...rest_of_properties":...} and verify the entire Page Content array parses correctly.
Why it's a bug
The Page Content JSON shows a button object with an incomplete className value and an unclosed string: "className":"absolute -left-2 sm:left-0 top-1/2 -translate-y-1/2 ". This indicates an AI-generated stub that was not finalized, potentially causing a runtime parse error or broken UI rendering (missing styles, broken layout) when the page is built.
Why it might not be a bug
If this is merely a snippet in documentation or a non-rendered portion of the data, the final deployed code may have a correct string. However, the visible truncated snippet strongly suggests a broken build artifact rather than a harmless placeholder.
Suggested Fix
Complete the className value for the button, ensuring valid JSON syntax and a complete Tailwind class string. Example: "className":"absolute -left-2 sm:left-0 top-1/2 -translate-y-1/2 -translate-x-0 flex items-center justify-center p-2" and close the JSON object properly. Remove any stray line breaks within the string and ensure the entire Page Content JSON is syntactically valid.
Why Fix
Fixing this artifact prevents a possible syntax/runtime error and ensures the UI renders as intended, preserving layout and accessibility.
Route To
Frontend/React (Next.js) UI Engineer
Page
Tester
Jason · GenAI Code Analyzer
Technical Evidence
Console:
No console logs available