B84%
Quality Score
7
Pages
101
Issues
8.2
Avg Confidence
8.0
Avg Priority
48 Critical39 High14 Medium
>_ Testers.AI
AI Analysis
Glideapps was tested and 101 issues were detected across the site. The most critical finding was: Credentials in URL: PostHog token exposed in query parameters and path. Issues span Security, Performance, A11y, Other categories. Persona feedback rated Visual highest (8/10) and Accessibility lowest (6/10).
Qualitative Quality
Glideapps
Category Avg
Best in Category
Pages Tested · 7 screenshots
Homepage
www.glideapps.com
www.glideapps.com
www.glideapps.com
www.glideapps.com
www.glideapps.com
www.glideapps.com
Detected Issues · 101 total
1
Credentials in URL: PostHog token exposed in query parameters and path
CRIT P9
Prompt to Fix
1) Remove the phc_CYeeEQAYy3aBXVNKkGixozIAYtyiNhxde4q30cnK533 token from the URL path and query strings; 2) Replace token usage with a safer method: supply via a secure header (Authorization: Bearer <token>) or via a server-side fetch with proper CORS, not exposed in client-visible URLs; 3) If phc_ tokens are publicly exposed write keys, verify they are restricted and intended for public use, otherwise replace with restricted, non-secret keys; 4) Implement or enforce Content Security Policy (CSP) and Referrer-Policy headers to minimize data leakage; 5) Add monitoring to ensure no secrets appear in logs or analytics requests.
Why it's a bug
The network activity includes authentication tokens in the URL query string and in the URL path, e.g., token=phc_CYeeEQAYy3aBXVNKkGixozIAYtyiNhxde4q30cnK533 and a config.js path containing phc_CYeeEQAYy3aBXVNKkGixozIAYtyiNhxde4q30cnK533. Tokens exposed in URLs can be logged by servers, stored in browser history, reflected in Referer headers, or captured in analytics/debug logs, enabling token leakage and potential misuse to access or manipulate analytics-related configurations. This represents a high-severity risk even if the token is intended for client-side use.
Why it might not be a bug
If the phc_ token is intentionally a public client-side key (as some analytics public keys are), exposure in URLs is expected and not a traditional secret. However, best practices discourage secrets in URLs, and exposing keys in any URL increases the attack surface through logs and referer leakage. The issue remains important because it signals improper handling of credentials and could lead to inadvertent misuse.
Suggested Fix
Remove sensitive tokens from URLs entirely. Use secure methods to supply analytics keys: load non-secret/public keys through safe build-time configuration or environment injection, and, if authentication is required, send tokens in HTTP headers (Authorization: Bearer <token>) or secure cookies with HttpOnly and SameSite attributes. Avoid placing tokens in query parameters or URL paths. Review all PostHog-related assets and ensure no secrets are embedded in publicly accessible URLs.
Why Fix
Prevent token leakage via URLs, logs, and Referer headers, reducing risk of unauthorized access or misuse of analytics configuration. Aligns with secure coding practices for handling credentials and API keys.
Route To
Security Engineer
Page
Tester
Sharon · Security Networking Analyzer
Technical Evidence
Console:
Credentials in URL detected in requests to PostHog (token in query string and path).Network:
GET https://us-assets.i.posthog.com/array/phc_CYeeEQAYy3aBXVNKkGixozIAYtyiNhxde4q30cnK533/config.js; GET https://us-i.posthog.com/api/surveys/?token=phc_CYeeEQAYy3aBXVNKkGixozIAYtyiNhxde4q30cnK533&ip=0&_=2
Unconsented third-party tracking on explore page (cross-site tracking)
CRIT P9
Prompt to Fix
In the code for the /explore page, wrap all external tracking script loads behind a consent check. After user consents, dynamically inject the following: Google Tag Manager with advertising features disabled, PostHog loaded from a first-party domain or self-hosted, Intercom script only after consent, and LinkedIn/Reddit tracking pixels disabled until consent. Ensure no personal data is sent in query parameters (avoid user identifiers in URLs). Add IP anonymization where possible and set cookies with SameSite=Lax or Strict. Provide a code snippet showing a consent-guarded loader for each external script and update the privacy policy accordingly.
Why it's a bug
The page loads multiple third-party tracking scripts (e.g., Google Tag Manager, PostHog, Intercom, LinkedIn pixel, Reddit pixel, analytics providers) from external domains. These trackers can collect user behavior across sites and may operate without explicit user consent indicators. This enables cross-site tracking and profiling, potentially violating privacy expectations and regulatory requirements.
Why it might not be a bug
If a robust consent mechanism is in place (cookie banner, opt-in analytics), loading trackers post-consent is acceptable. The provided data does not confirm the presence or absence of consent flows, so while risk exists, it may not be a bug if users have opted in.
Suggested Fix
Implement a clear consent mechanism (cookie/privacy banner) and gate all third-party trackers behind explicit user consent. Delay loading of external tracking scripts (GTM, PostHog, Intercom, LinkedIn Pixel, Reddit Pixel) until consent is given. Consider migrating to first-party analytics or self-hosted alternatives, enable IP anonymization, and apply SameSite cookies. Review data exposed to third parties and remove any non-essential data from callback/query strings.
Why Fix
Removing or gating third-party trackers reduces cross-site tracking risk, protects user privacy, and aligns with privacy regulations and user expectations. It also improves trust and reduces potential regulatory exposure.
Route To
Privacy Engineer / Frontend Analytics Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Console:
POTENTIAL ISSUE: Tracking request detectedNetwork:
GET https://analytics.roadwayai.com/tag.js - Status: N/A; GET https://www.redditstatic.com/ads/pixel.js - Status: 200; GET https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=6221860&time=1774472458315&li_adsId=511eacc2-b43e-47d3-acad-1e08333b50c9&url=https%3A%2F%2Fwww.glideapps.com%2Fexplore - Status: N/A; GET https://px.ads.linkedin.com/attribution_trigger?pid=6221860&time=1774472458315&url=https%3A%2F%2Fwww.glideapps.com%2Fexplore - Status: N/A; GET https://snap.licdn.com/li.lms-analytics/insight.min.js - Status: 200; GET https://www.googletagmanager.com/gtm.js?id=GTM-5MXCZVT - Status: 2003
AI endpoint debug logs exposed in frontend console
CRIT P9
Prompt to Fix
Remove production console logs that mention 'AI/LLM ENDPOINT DETECTED' or expose internal AI endpoint details. Guard diagnostic logs with an isDev or env.production check, and ensure only safe, high-level messages are logged in production.
Why it's a bug
Console logs reveal AI endpoint mentions (AI/LLM ENDPOINT DETECTED) and other debug text, which could leak internal architecture details and confuse users. This is a potential information disclosure/security risk in production.
Why it might not be a bug
If logs are strictly dev-only behind a feature flag, they should still be gated; visible logs in production are a risk regardless of intention.
Suggested Fix
Remove or gate AI-endpoint diagnostic logs behind a development flag. Sanitize console output to avoid exposing internal endpoints or heuristics. Consider centralizing logs and ensuring production builds strip debug messages.
Why Fix
Reduces security and privacy risks, prevents information leakage about internal AI infrastructure, and improves user experience by avoiding noisy diagnostics in production.
Route To
Security Engineer / Frontend Engineer
Page
Tester
Jason · GenAI Code Analyzer
Technical Evidence
Console:
[ERROR] Failed to load resource: net::ERR_NAME_NOT_RESOLVEDNetwork:
GET https://www.glideapps.com/customers - Status: 200