B84%
Quality Score
7
Pages
112
Issues
8.2
Avg Confidence
8.1
Avg Priority
57 Critical46 High9 Medium
>_ Testers.AI
AI Analysis
Superblocks was tested and 112 issues were detected across the site. The most critical finding was: External staging/back-end endpoint exposure in production traffic. Issues span Security, A11y, Performance, Other categories. Persona feedback rated Visual highest (8/10) and Accessibility lowest (5/10).
Qualitative Quality
Superblocks
Category Avg
Best in Category
Pages Tested · 7 screenshots
Homepage
www.superblocks.com
www.superblocks.com
www.superblocks.com
www.superblocks.com
www.superblocks.com
www.superblocks.com
Detected Issues · 112 total
1
External staging/back-end endpoint exposure in production traffic
CRIT P9
Prompt to Fix
In the install flow, replace the external call to knock2-backend-2ba4792164c3.herokuapp.com/install/superblocks_com with a production-controlled endpoint under your own domain (e.g., https://yourdomain.com/api/install/superblocks_com). Remove the 307 redirect path to an external host. Enforce TLS 1.2+/1.3, implement proper authentication (Authorization header or API key), apply strict CORS with a restricted allow-origin, and ensure all backend services are within your control. Add monitoring and rate limiting on the new endpoint and remove any hardcoded external references from the client.
Why it's a bug
The request to an external Heroku app (knock2-backend-2ba4792164c3.herokuapp.com) in the install flow, including a 307 redirect, indicates usage of a third-party/staging backend from production traffic. This expands the attack surface, risks data exposure to an uncontrolled domain, and introduces potential misconfigurations or data handling outside the organization’s control.
Why it might not be a bug
If this external endpoint is an approved, documented part of the production install flow with proper auth and controls, it may be legitimate. However, the presence of an external backend in production traffic is highly suspicious and warrants immediate verification.
Suggested Fix
Audit all back-end endpoints used in critical user flows. If possible, migrate install flow to internal, authenticated endpoints under your own domain (same-origin where feasible). Remove or replace the external Heroku endpoint with a production-ready API gateway. Ensure strict authentication, proper CORS, and no redirects to untrusted domains. Consider whitelisting domains and removing non-essential external services from critical paths.
Why Fix
Eliminating reliance on an external/staging backend reduces data exposure risk, prevents potential data leakage, and minimizes supply-chain risk. It also improves traceability and control over authentication, logging, and rate limiting.
Route To
Security Engineer; Backend/Platform Engineer
Page
Tester
Sharon · Security Networking Analyzer
Technical Evidence
Network:
GET https://knock2-backend-2ba4792164c3.herokuapp.com/install/superblocks_com - Status: 3072
Unconsented third-party tracking across analytics and advertising networks
CRIT P9
Prompt to Fix
Audit all third-party tracking scripts loaded on the page. For each third-party tracker, confirm whether user consent is required and implemented. Gate all trackers behind explicit opt-in, remove non-essential trackers, and replace with privacy-preserving alternatives. Provide a CMP integration plan and update to ensure trackers do not run without user consent.
Why it's a bug
The page loads multiple third-party tracking scripts (e.g., Google GTM, Reddit ads pixel, Twitter ads, LinkedIn analytics, CrazyEgg) without clear consent indicators. This enables cross-site user profiling and data sharing with external services, increasing privacy risk.
Why it might not be a bug
If a robust consent management mechanism is in place and users opt in/out, tracking could be acceptable. However, there is no evidence in the traffic snippet of explicit consent gating, making this a high-risk scenario.
Suggested Fix
Implement a clear consent management platform (CMP) and gate all third-party trackers behind explicit user consent. Consider reducing the number of third-party services or hosting analytics on a first-party domain. Ensure Do Not Track preferences are respected and implement a strict data minimization policy for all outbound requests.
Why Fix
Reduces exposure of user behavior to external entities, improves trust, and aligns with privacy regulations requiring informed consent for tracking.
Route To
Privacy Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Console:
⚠️ POTENTIAL ISSUE: Tracking request detectedNetwork:
GET https://www.redditstatic.com/ads/pixel.js - Status: N/A3
Insecure HTTP signup link found in navigation
CRIT P9
Prompt to Fix
Update the signup link to use HTTPS. If external, add rel="noopener" and appropriate target attributes. Scan the navigation data for any remaining HTTP links and convert them to HTTPS.
Why it's a bug
The navigation includes an anchor with an insecure HTTP URL (http://app.superblocks.com/signup). This creates a mixed-content risk and is a security concern for production environments.
Why it might not be a bug
Even if redirects are used, using HTTPS is the standard and secure default; HTTP is a vulnerability regardless of redirects.
Suggested Fix
Change the href to https://app.superblocks.com/signup and, if opening in a new tab, include rel="noopener". Audit for any other HTTP links and convert them to HTTPS.
Why Fix
Prevents potential eavesdropping/man-in-the-middle risks and aligns with modern security practices, boosting user trust.
Route To
Security Engineer / Frontend Engineer
Page
Tester
Jason · GenAI Code Analyzer
Technical Evidence
Console:
Page Content shows a link with http://app.superblocks.com/signupNetwork:
N/A (no explicit network call shown for this anchor in the logs)