Quality Assurance
vercel.com
Automated scan of vercel.com via QA Explorer (claude-sonnet-4-6). Covered 15 pages, ran 246 scripted test cases (177 passed), and surfaced 39 unique findings across functionality, UX, accessibility, performance, and security.
Confidential
Environmenthttps://vercel.com/
Projectvercel.com
MethodologyAutomated end-to-end exploratory scan (Playwright + DOM extraction)
TesterQA Explorer (automated)
Report Date2026-05-22
39
New Bugs
Bugs Fixed
UX Improved
246
Cases Run
177
Passed
39 findings · 1 critical · 9 high · 39 unique
Production Impact: 1 critical defect is present and should block release until remediated.
1Executive Summary
Vercel's marketing site is structurally sound — all 15 pages returned successful responses, internal links are clean, and navigation works as expected. However, the scan uncovered a meaningful cluster of security, accessibility, and reliability issues that collectively create legal exposure, undermine trust, and deliver a degraded experience to users with disabilities or slow connections.

The most serious issues are in three areas. First, tracking cookies are being set on visitors' browsers before any consent is obtained, and no consent banner was detected — this is a likely violation of GDPR, CCPA, and similar privacy regulations, and is especially ironic on a platform that markets compliance features. Second, several security response headers are missing inconsistently across pages, suggesting a misconfiguration at the CDN or edge layer rather than a deliberate policy. Third, the site has significant accessibility gaps: multiple pages have insufficient color contrast that fails WCAG AA, 34 links and 17 buttons have no accessible name, and heading structure is broken on many pages — collectively these may constitute ADA/WCAG non-compliance for a flagship commercial product.

The team should address the cookie consent issue immediately as it carries regulatory risk, then fix the edge-layer header configuration in a single pass to resolve the cluster of missing security headers. Accessibility remediation — contrast ratios, accessible names on interactive elements, and heading hierarchy — should follow as a coordinated sprint. Finally, the broken GitHub Discussions external link, the JavaScript fetch error blocking the 'Get Started' CTA, and the oversized page payloads on the AI Gateway and Previews pages should be resolved to protect conversion and performance.

Production impact. 1 critical defect is present and should block release until remediated.
2Test Scope & Environment
FieldValue
Applicationvercel.com
Environmenthttps://vercel.com/
MethodologyAutomated end-to-end exploratory scan — headless Chromium crawls same-origin links, captures DOM/console/screenshots, analyzer derives findings.
Pages Scanned15
Duration2 min 48 s
Report ID9bd542e3-1469-48b4-88da-de510f46c184
Analyzerclaude-sonnet-4-6
3Test Execution Details
Scripted test cases executed against the target. Status values follow the test runner's convention (PASS / FAIL / UX / BLOCKED).
TS-NAV — Navigation & Page Load Tests
#Test StepExpected ResultActual ResultStatus
1Open homepageThe homepage should load successfully with all primary content visible.HTTP 200, loaded in 0.49s, 36 headings, 134 links, 48 images.✓ PASS
2Open Home pageThe Home page should load successfully with all content visible.HTTP 200, loaded in 0.72s, 36 headings, 134 links, 48 images.✓ PASS
3Open Ai pageThe Ai page should load successfully with all content visible.HTTP 200, loaded in 0.39s, 32 headings, 122 links, 47 images.✓ PASS
… and 12 more — all passed✓ PASS
TS-LINKS — Internal Link Health
#Test StepExpected ResultActual ResultStatus
1HEAD /"Skip to content"The "Skip to content" link should resolve to a working page.Link resolves correctly (HTTP 200).✓ PASS
2HEAD /home"Skip to content" · linked from 14 pagesThe "Skip to content" link should resolve to a working page.Link resolves correctly (HTTP 200).✓ PASS
3HEAD /ai"AI Cloud" · linked from 14 pagesThe "AI Cloud" link should resolve to a working page.Link resolves correctly (HTTP 200).✓ PASS
… and 47 more — all passed✓ PASS
TS-SEC — Security Headers & Cookies
#Test StepExpected ResultActual ResultStatus
1Check Strict-Transport-Security security headersampled 2 pagesHeader present with max-age ≥ 31536000 (1 year)Present, max-age=31536000; includeSubDomains; preload.✓ PASS
2Check for Content Security Policy headerThe server should send a Content Security Policy header to protect against injection attacks.The header was not set on 1 of 2 samples tested.✗ FAIL
3Check for X-Content-Type-Options headerThe server should send an X-Content-Type-Options header set to 'nosniff' to prevent browsers from interpreting files as a different type.The header was not set on 1 of 2 samples tested.✗ FAIL
4Check for X-Frame-Options headerThe server should send an X-Frame-Options header set to either DENY or SAMEORIGIN to prevent clickjacking attacks.The header was not set on 1 of 2 samples tested.✗ FAIL
5Check for Referrer-Policy headerThe server should send a Referrer-Policy header to control how much referrer information is shared.The header was not set on 1 of 2 samples tested.✗ FAIL
6Check for Permissions-Policy headerThe server should send a Permissions-Policy header to control which browser features can be used.The header was not set.✗ FAIL
7Check if '_v-consent' cookie has HttpOnly flagThe '_v-consent' cookie should be marked HttpOnly to prevent JavaScript from accessing it, reducing cross-site scripting risks.The HttpOnly flag was not set on the cookie.✗ FAIL
8Cookie "_v-consent" — Secure flagsampled from /Secure attribute setSecure attribute present✓ PASS
9Cookie "_v-consent" — SameSite attributesampled from /SameSite=Strict / Lax / NoneSameSite=Lax✓ PASS
10Check if '_v-anonymous-id' cookie has HttpOnly flagThe '_v-anonymous-id' cookie should be marked HttpOnly to prevent JavaScript from accessing it, reducing cross-site scripting risks.The HttpOnly flag was not set on the cookie.✗ FAIL
11Cookie "_v-anonymous-id" — Secure flagsampled from /Secure attribute setSecure attribute present✓ PASS
12Cookie "_v-anonymous-id" — SameSite attributesampled from /SameSite=Strict / Lax / NoneSameSite=Lax✓ PASS
13Check if '_v-anonymous-id-renewed' cookie has HttpOnly flagThe '_v-anonymous-id-renewed' cookie should be marked HttpOnly to prevent JavaScript from accessing it, reducing cross-site scripting risks.The HttpOnly flag was not set on the cookie.✗ FAIL
14Cookie "_v-anonymous-id-renewed" — Secure flagsampled from /Secure attribute setSecure attribute present✓ PASS
15Cookie "_v-anonymous-id-renewed" — SameSite attributesampled from /SameSite=Strict / Lax / NoneSameSite=Lax✓ PASS
16Mixed Content scan across crawled pagesscanned 15 pages of console messagesNo `http://` resources requested on HTTPS pagesNo Mixed Content messages observed during crawl✓ PASS
TS-A11Y — Accessibility Audit
#Test StepExpected ResultActual ResultStatus
1HTML `lang` attribute presentchecked 15 pagesEvery page sets `<html lang=...>` (screen readers / i18n)All pages declare a lang attribute✓ PASS
2Verify each page has exactly one main headingEvery page should have exactly one H1 tag to clearly identify its primary topic.3 of 15 pages had multiple H1 elements, making the page structure confusing for screen reader users.✗ FAIL
3Verify heading hierarchy is sequentialHeadings should descend in order (H1 to H2 to H3) without skipping levels, so assistive technology users can navigate the page structure.8 of 15 pages skip heading levels, which breaks the logical structure for users relying on assistive technology.■ UX
4Images declare an `alt` attributeinspected 452 images across 15 pagesEvery `<img>` declares meaningful alt text (`alt=""` only for purely decorative images)All images declare a non-empty `alt`✓ PASS
5Verify decorative images use empty alt textImages used purely for decoration should have empty alt text (alt='') so screen readers skip them; images with content should have descriptive alt text.143 images across 15 pages declare empty alt text — these should be reviewed to confirm they are truly decorative.■ UX
6Image resources return 2xxHEAD-checked 30 of 244 unique image srcsEvery `<img src>` resolves to a 2xx responseAll 30 probed images returned 2xx✓ PASS
7Verify all buttons have accessible namesEvery button should have a visible label or aria-label so screen reader users understand its purpose.17 buttons on 2 pages lack an accessible name, making them inaccessible to screen reader users.✗ FAIL
8Verify all links have accessible namesEvery link should have visible text or an aria-label so screen reader users understand where the link goes.34 links across 15 pages lack an accessible name, making them unclear for screen reader users.✗ FAIL
TS-XSS — Static XSS Surface
#Test StepExpected ResultActual ResultStatus
1Text inputs declare a `maxlength` attributeinspected 0 text inputs across 15 pagesEvery text-like input has `maxlength` so payloads cannot exceed a sane sizen/a (no text inputs discovered)✓ PASS
2State-mutating forms carry an anti-CSRF tokeninspected 0 POST/PUT/PATCH/DELETE formsEvery mutating form contains a hidden CSRF / authenticity token inputn/a (no mutating forms discovered)✓ PASS
3No inline event-handler attributesinspected 15 pagesNo `onclick`/`onload`/`onerror`/… attributes in markup (use addEventListener)No inline handlers found✓ PASS
4No `javascript:` URLs in `<a href>` attributesinspected links across 15 pages`<a href>` values never use the `javascript:` schemeNo `javascript:` hrefs found✓ PASS
TS-COOKIE — Cookies & Consent
#Test StepExpected ResultActual ResultStatus
1Verify no tracking cookies are set before user consentThe site should not set any cookies that track user behavior until the user has explicitly consented.All 3 cookies set on first load appear to be tracking cookies, suggesting cookies are set before consent.✗ FAIL
2Verify a cookie consent banner is present on the homepageThe homepage should display a visible cookie or consent banner so users can manage their preferences.No cookie consent banner pattern was detected in the homepage HTML.■ UX
3No third-party cookies set by homepagecompared cookie Domain= against vercel.comAll Set-Cookie Domain attributes point to the same registrable domain as the pageAll cookies are first-party✓ PASS
TS-PAGE — Pagination Structure
#Test StepExpected ResultActual ResultStatus
1Pagination detected on crawled pagesinspected 15 pagesAny paginated listing pages expose next / prev / page-N navigation15 of 15 pages have pagination links✓ PASS
2Next / Prev links never point at the current page15 paginated pagesA page's next / prev links target neighboring pages, not the page itselfAll paginated pages have valid next / prev targets✓ PASS
3Pagination link health (crawler-known statuses)46 pagination links (only crawler-visited URLs evaluated)Pagination links resolve to 2xx / 3xxAll crawler-known pagination targets are 2xx/3xx✓ PASS
TS-AUTHZ — Authorization Boundary
#Test StepExpected ResultActual ResultStatus
1Authorization gate on /adminhttps://vercel.com/adminAdmin page is not publicly accessible.HTTP 200 but body does not look like an admin page (likely a soft-404)✓ PASS
2Verify the /admin/ path is protectedAccessing /admin/ without authentication should block the request with a redirect or error response, not display admin content.The request returned HTTP 308 (redirect to itself), which may indicate incomplete protection.■ UX
3Authorization gate on /admin.phphttps://vercel.com/admin.phpAdmin page is not publicly accessible.HTTP 307 → /auth-redirect/admin.php (login redirect)✓ PASS
4Authorization gate on /administratorhttps://vercel.com/administratorAdmin page is not publicly accessible.HTTP 307 → /auth-redirect/administrator (login redirect)✓ PASS
5Authorization gate on /dashboardhttps://vercel.com/dashboardAdmin page is not publicly accessible.HTTP 307 → /auth-redirect/dashboard (login redirect)✓ PASS
6Verify the /dashboard/ path is protectedAccessing /dashboard/ without authentication should block the request with a redirect or error response, not display dashboard content.The request returned HTTP 308 (redirect to itself), which may indicate incomplete protection.■ UX
7Authorization gate on /wp-adminhttps://vercel.com/wp-adminAdmin page is not publicly accessible.HTTP 307 → /auth-redirect/wp-admin (login redirect)✓ PASS
8Authorization gate on /api/adminhttps://vercel.com/api/adminAdmin page is not publicly accessible.HTTP 404 (path does not exist)✓ PASS
9Authorization gate on /api/usershttps://vercel.com/api/usersAdmin page is not publicly accessible.HTTP 404 (path does not exist)✓ PASS
TS-RATELIMIT — Rate Limit & Duplicate Submit
#Test StepExpected ResultActual ResultStatus
1Check if mutating forms declare idempotency tokensForms that modify data should include a token the server can use to prevent duplicate submissions if a form is submitted twice.No mutating forms were discovered on the site, so this check does not apply.⊘ BLOCKED
2Verify the homepage enforces rate limits under burst requestsWhen the site is accessed repeatedly in quick succession, the server should signal rate limits via HTTP 429 responses or rate-limit headers.All 20 requests in the burst test returned no rate-limit signals, suggesting rate limiting may not be enforced.■ UX
3Check the login endpoint for rate-limit headersThe login endpoint should advertise rate limits via headers so clients know to back off after too many attempts.No login form was discovered on the site, so this check does not apply.⊘ BLOCKED
TS-SEO — SEO & Discoverability
#Test StepExpected ResultActual ResultStatus
1Page `<title>` presentinspected 15 pagesEvery page declares a non-empty `<title>` elementAll pages declare a `<title>`✓ PASS
2Verify page titles are 10–60 charactersPage titles should be between 10 and 60 characters to be fully visible in search results and browser tabs.5 of 15 page titles are out of the recommended range (2 are too long, 3 are too short).✗ FAIL
3Meta description presentinspected 15 pagesEvery page declares a `<meta name="description">` tagAll pages declare a meta description✓ PASS
4Verify meta descriptions are 50–160 charactersMeta descriptions should be 50–160 characters to be fully visible in search results.2 of 15 meta descriptions are outside the recommended range.■ UX
5Canonical URL declaredinspected 15 pagesEvery page declares `<link rel="canonical" href="...">`All pages declare a canonical URL✓ PASS
6Open Graph `og:title` presentinspected 15 pagesEvery page declares `<meta property="og:title">`All pages declare `og:title`✓ PASS
7Open Graph `og:description` presentinspected 15 pagesEvery page declares `<meta property="og:description">`All pages declare `og:description`✓ PASS
8Verify Open Graph image tag is presentEvery page should declare an Open Graph image (og:image) so social media sites display a preview when the page is shared.1 of 15 pages is missing the og:image tag.■ UX
9Page declares at least one `<h1>`inspected 15 pagesEvery page has exactly one `<h1>` (primary page title)Every page declares at least one `<h1>`✓ PASS
10robots.txt exists/robots.txtGET `/robots.txt` returns 2xxHTTP 200✓ PASS
11robots.txt references a Sitemapscanned response bodyrobots.txt body contains a `Sitemap:` directive`Sitemap:` directive present✓ PASS
12sitemap.xml exists/sitemap.xmlGET `/sitemap.xml` returns 2xxHTTP 200✓ PASS
13sitemap.xml is valid XMLchecked for <urlset> / <sitemapindex> rootResponse body parses as `<urlset>` or `<sitemapindex>`valid sitemap structure✓ PASS
TS-SSL — SSL / TLS & Server Headers
#Test StepExpected ResultActual ResultStatus
1HTTPS homepage reachablehttps://vercel.comHEAD https:// returns 2xx or 3xxHTTP 200✓ PASS
2TLS certificate expiryCN=vercel.comCertificate valid for at least 30 more days87 days remaining (valid_to Aug 17 21:36:15 2026 GMT)✓ PASS
3HTTP → HTTPS redirecthttp://vercel.comPlain HTTP serves a 301 / 302 / 307 / 308 to https://HTTP 308 → https://vercel.com/✓ PASS
4Verify server software version is not disclosedServer headers should not reveal the software name or version, as this information can help attackers identify vulnerabilities.The X-Powered-By header reveals 'Next.js, Payload', exposing the technology stack.■ UX
TS-REDIRECT — Redirect Configuration
#Test StepExpected ResultActual ResultStatus
1HTTP → HTTPS redirect chainstart http://vercel.com/1–2 hops landing on the matching https://<host>/ URL1 hop → https://vercel.com/ (HTTP 200)✓ PASS
2www / apex canonicalizationcompared www.vercel.com ↔ vercel.comBoth entrances land on the same canonical hostwww → vercel.com, apex → vercel.com.✓ PASS
TS-META — Meta Tags & PWA Essentials
#Test StepExpected ResultActual ResultStatus
1Verify favicon is declaredThe page head should include a link tag for the favicon so browsers display an icon in the tab.The favicon link tag was not found in the homepage HTML.■ UX
2Apple touch iconhomepage HTML scan`<link rel="apple-touch-icon">` declared in the page head.tag present in homepage HTML✓ PASS
3Structured data (JSON-LD)homepage HTML scanAt least one `<script type="application/ld+json">` block declaring relevant schema.org types.tag present in homepage HTML✓ PASS
4Charset declarationhomepage HTML scan`<meta charset="utf-8">` declared at the top of `<head>`.tag present in homepage HTML✓ PASS
5Web app manifesthomepage declares <link rel="manifest">Either `<link rel="manifest">` referenced (and 2xx) OR `/manifest.json` / `/site.webmanifest` reachableHTTP 200 from /manifest.webmanifest✓ PASS
TS-IMG — Image Optimization
#Test StepExpected ResultActual ResultStatus
1Lazy-loading attribute usageparsed 20 <img> tags on homepage≥25% of homepage <img> tags declare loading="lazy"8 of 20 tags use loading="lazy" (40%)✓ PASS
2Image payload sizeHEAD-checked 20 of 244 unique image srcsEach image transfers ≤ 500 KBAll 20 probed images ≤ 500 KB (or Content-Length unavailable)✓ PASS
3Modern image formats (WebP / AVIF)Content-Type inspection across 20 HEAD responsesAt least some image responses use modern formats (image/webp or image/avif)0 legacy (jpg/png), 0 modern (webp/avif).✓ PASS
TS-CONSOLE — Console Errors
#Test StepExpected ResultActual ResultStatus
1Verify no JavaScript console errors appearThe page should not emit any JavaScript errors to the browser console.59 errors across 5 distinct patterns were logged on 14 pages, indicating JavaScript issues.■ UX
2Check for 'Failed to load resource' errorsResources should load successfully without emitting console errors.A resource returned HTTP 403, failing to load and emitting a console error.✗ FAIL
3Check for Cross-Origin Resource Sharing (CORS) fetch errorsCross-origin requests should not be blocked by CORS policy.A fetch request to 'https://ai-sdk.dev/' was blocked by CORS policy or a redirect error.✗ FAIL
4Check for network errors loading resourcesAll resources should load without network errors.A resource failed to load with a network error.✗ FAIL
5Check for Content Security Policy font-loading violationsFonts should load without violating the Content Security Policy.A font from 'https://k2mkucxia43oc7fa.public.blob.vercel-storage.com/front/fonts/space-mono/sp…' was blocked by the CSP directive.■ UX
6Check for Content Security Policy connection violationsJavaScript connections should not be blocked by the Content Security Policy.A connection to 'https://ai-sdk.dev/' was blocked by the CSP directive.■ UX
TS-EXTLINKS — External Link Health
#Test StepExpected ResultActual ResultStatus
1Check external link https://v0.app/"v0Build applications with AI"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
2Check external link https://community.vercel.com/"CommunityJoin the conversation"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
3Check external link https://nuxt.com/"NuxtThe progressive web framework"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
4Check external link https://svelte.dev/"SvelteThe web’s efficient UI framework"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
5Check external link https://ai-sdk.dev/"AI SDK"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
6Check external link https://workflow-sdk.dev/"Workflow SDKNew"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
7Check external link https://flags-sdk.dev/"Flags SDK"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
8Check external link https://chat-sdk.dev/"Chat SDK"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
9Check external link https://streamdown.ai/"Streamdown AINew"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
10Check external link https://github.com/vercel"GitHub"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
11Check external link https://linkedin.com/company/vercel"LinkedIn"External link is reachable.Link redirects (HTTP 301).✓ PASS
12Verify external link https://x.com/vercel is reachableThe external link should be accessible or return a valid response code.The link returned HTTP 403 (Forbidden) in 0.12 seconds, indicating access restrictions.■ UX
13Check external link https://youtube.com/@VercelHQ"YouTube"External link is reachable.Link redirects (HTTP 301).✓ PASS
14Check external link https://vercel-status.com/"All systems normal."External link is reachable.Link redirects (HTTP 301).✓ PASS
15Check external link https://ai-sdk.dev/getting-started"AI SDK documentation"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
16Check external link https://vercel.com/ossreferenced from https://vercel.com/ai-sdkExternal link is reachable.Link resolves correctly (HTTP 200).✓ PASS
17Check external link https://vercel.com/ai-gateway"AI GatewayGateway"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
18Check external link https://github.com/vercel/ai"GitHub"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
19Verify external link https://github.com/vercel/ai/discussions is reachableThe external link should be accessible or return a valid response code.The link returned HTTP 404 (Not Found) in 0.24 seconds, indicating the page no longer exists.✗ FAIL
20Check external link https://vercel.com/contact"Contact"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
21Check external link https://vercel.com/ai-gateway/models"supported LLM models"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
22Check external link https://vercel.com/sandboxreferenced from https://vercel.com/ai-sdkExternal link is reachable.Link resolves correctly (HTTP 200).✓ PASS
23Check external link https://vercel.com/workflowreferenced from https://vercel.com/ai-sdkExternal link is reachable.Link redirects (HTTP 308).✓ PASS
24Check external link https://elements.ai-sdk.dev/referenced from https://vercel.com/ai-sdkExternal link is reachable.Link resolves correctly (HTTP 200).✓ PASS
25Check external link https://vercel.com/templates"Templates"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
26Check external link https://vercel.com/docs/frameworks"Supported frameworks"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
27Check external link https://vercel.com/marketplace"Marketplace"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
28Check external link https://vercel.com/domains"Domains"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
29Check external link https://vercel.com/frameworks/nextjs"Next.js on Vercel"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
30Check external link https://vercel.com/solutions/turborepo"Turborepo"External link is reachable.Link resolves correctly (HTTP 200).✓ PASS
31External links beyond initial sample not checkedA representative sample of external links is tested; remaining links deferred due to probe limits.More than 50 external links were not probed due to the automation limit.■ UX
TS-OPENREDIR — Open Redirect Surface
#Test StepExpected ResultActual ResultStatus
1?redirect=<external> redirect handlinghttps://vercel.com/?redirect=https%3A%2F%2Fevil.example%2Fphishing-testServer ignores or strips off-origin redirect targetsHTTP 200 (no Location)✓ PASS
2?next=<external> redirect handlinghttps://vercel.com/?next=https%3A%2F%2Fevil.example%2Fphishing-testServer ignores or strips off-origin redirect targetsHTTP 200 (no Location)✓ PASS
3?url=<external> redirect handlinghttps://vercel.com/?url=https%3A%2F%2Fevil.example%2Fphishing-testServer ignores or strips off-origin redirect targetsHTTP 200 (no Location)✓ PASS
4?return=<external> redirect handlinghttps://vercel.com/?return=https%3A%2F%2Fevil.example%2Fphishing-testServer ignores or strips off-origin redirect targetsHTTP 200 (no Location)✓ PASS
5?returnUrl=<external> redirect handlinghttps://vercel.com/?returnUrl=https%3A%2F%2Fevil.example%2Fphishing-testServer ignores or strips off-origin redirect targetsHTTP 200 (no Location)✓ PASS
TS-AUTH — Authentication Form Structure
#Test StepExpected ResultActual ResultStatus
1Verify a login form is discoverableThe site should have at least one login form so user authentication can be tested.No login form was found on any crawled page.⊘ BLOCKED
TS-API — API Responses
#Test StepExpected ResultActual ResultStatus
1API responses return 2xx/3xx68 XHR/fetch responses on https://vercel.com/All API responses return 2xx / 3xxAll 68 responses 2xx/3xx✓ PASS
2API responses under 2s68 XHR/fetch responsesEvery API response completes in ≤ 2000 msAll responses under threshold✓ PASS
3Check API responses declare a `Content-Type` header68 XHR/fetch responsesEvery API response sets a `Content-Type` headerAll responses declare a Content-Type✓ PASS
4API response bodies do not expose stack traces68 XHR/fetch responsesResponse bodies never contain server stack traces / debug error detailsNo stack traces detected in response bodies✓ PASS
TS-ERR — Error Page & 404 Handling
#Test StepExpected ResultActual ResultStatus
1Verify /xyz returns a 404 error pageRequesting a non-existent path should return an HTTP 4xx error with a branded error page that matches the site design.The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page.✗ FAIL
2Verify /__qa_explorer_404_probe_* returns a 404 error pageRequesting a non-existent path should return an HTTP 4xx error with a branded error page that matches the site design.The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page.✗ FAIL
3Verify /page-not-found?q=<payload> returns a 404 error pageRequesting a non-existent path should return an HTTP 4xx error with a branded error page that matches the site design.The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page. Response time was 0.31 s.✗ FAIL
4Verify /aaaa… (500-char repeat) returns a 404 error pageRequesting a path with an extremely long URL should return an HTTP 4xx error with a branded error page that matches the site design.The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page.✗ FAIL
5Verify /test'<sql-payload> returns a 404 error pageRequesting a path with SQL injection patterns should return an HTTP 4xx error with a branded error page that matches the site design.The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page.✗ FAIL
TS-CTA — Primary CTA Tests
#Test StepExpected ResultActual ResultStatus
1Click link "Log In" → /loginclick navigates to destinationCTA produces a navigation, modal, or DOM updateNavigated to https://vercel.com/login (HTTP 200)✓ PASS
2Click the 'Sign Up' link to navigate to /signupThe link should be clickable and the page should navigate to the sign-up page.The click action timed out after 3 seconds, indicating the link was not responsive or not in the expected location.⊘ BLOCKED
3Click link "Learn more" → /fluidclick navigates to destinationCTA produces a navigation, modal, or DOM updateNavigated to https://vercel.com/fluid✓ PASS
4Click link "Get Started" → /dclick navigates to destinationCTA produces a navigation, modal, or DOM updateNavigated to https://vercel.com/login?next=%2Fd%3Fto%3D%252F%255Bteam%255D%252F%257E%252Fsan… (HTTP 200)✓ PASS
5Click link "Get Started" → /dclick navigates to destinationCTA produces a navigation, modal, or DOM updateNavigated to https://vercel.com/login?next=%2Fd%3Fto%3D%252F%255Bteam%255D%252F%257E%252Fver… (HTTP 200)✓ PASS
6Click the 'Sign in with Vercel' buttonThe button should be clickable and present in the page.The button is no longer in the DOM, likely because it was rendered after the initial page load by client-side JavaScript.⊘ BLOCKED
7Click the 'Get Started' link to navigate to /docsClicking the link should not produce any JavaScript errors.A 'Failed to fetch' error was thrown when the link was clicked.✗ FAIL
8Click link "Contact sales" → /contact/salesclick navigates to destinationCTA produces a navigation, modal, or DOM updateNavigated to https://vercel.com/contact/sales✓ PASS
9Click link "Learn More" → /docs/vercel-firewallclick navigates to destinationCTA produces a navigation, modal, or DOM updateNavigated to https://vercel.com/docs/vercel-firewall (HTTP 200)✓ PASS
10Click link "Learn more" → /botidclick navigates to destinationCTA produces a navigation, modal, or DOM updateNavigated to https://vercel.com/docs/vercel-firewall (HTTP 200)✓ PASS
TS-SEARCH — Search Behavior
#Test StepExpected ResultActual ResultStatus
1Verify a search form is discoverableThe site should have at least one search form so search functionality can be tested.No search form was found on any crawled page.⊘ BLOCKED
TS-ERROR — Error & Resilience Handling
#Test StepExpected ResultActual ResultStatus
1Verify a service worker is registeredOptionally, a registered service worker enables offline browsing, push notifications, and background synchronization.No service worker was registered on the sample page.■ UX
2Verify the page displays gracefully when offlineWhen the browser is offline, the page should show a branded offline message or cached content instead of a generic browser error.The page failed to load offline, showing a generic 'net::ERR_INTERNET_DISCONNECTED' error rather than a graceful offline state.✗ FAIL
3Verify a loading indicator appears during slow navigationWhile the page is loading, a spinner or loading message should be visible to reassure the user that content is on the way.No loading spinner or progress indicator was detected during slow navigation.■ UX
TS-PERF — Performance & Core Web Vitals
#Test StepExpected ResultActual ResultStatus
1FCP · /≤1.8s good · ≤3.0s needs improvement0.23s✓ PASS
2LCP · /≤2.5s good · ≤4.0s needs improvement0.23s✓ PASS
3CLS · /≤0.1 good · ≤0.25 needs improvement0.000✓ PASS
4Measure DOM complexity on the homepageThe homepage should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.The homepage contains 3195 DOM elements, exceeding the recommended limit.✗ FAIL
5Measure page weight on the homepageThe homepage should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.The homepage weighs 3.70 MB, exceeding the good threshold.■ UX
6FCP · /ai-gateway≤1.8s good · ≤3.0s needs improvement0.31s✓ PASS
7LCP · /ai-gateway≤2.5s good · ≤4.0s needs improvement0.31s✓ PASS
8CLS · /ai-gateway≤0.1 good · ≤0.25 needs improvement0.000✓ PASS
9Measure DOM complexity on /ai-gatewayThe page should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.The page contains 2539 DOM elements, which is within acceptable range but toward the higher end.■ UX
10Measure page weight on /ai-gatewayThe page should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.The page weighs 4.21 MB, exceeding the good threshold but within acceptable range.■ UX
11FCP · /products/previews≤1.8s good · ≤3.0s needs improvement0.24s✓ PASS
12LCP · /products/previews≤2.5s good · ≤4.0s needs improvement0.24s✓ PASS
13CLS · /products/previews≤0.1 good · ≤0.25 needs improvement0.000✓ PASS
14Measure DOM complexity on /products/previewsThe page should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.The page contains 2416 DOM elements, which is acceptable but on the higher side.■ UX
15Measure page weight on /products/previewsThe page should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.The page weighs 3.79 MB, exceeding the good threshold.■ UX
16FCP · /products/observability≤1.8s good · ≤3.0s needs improvement0.23s✓ PASS
17LCP · /products/observability≤2.5s good · ≤4.0s needs improvement0.23s✓ PASS
18CLS · /products/observability≤0.1 good · ≤0.25 needs improvement0.000✓ PASS
19Measure DOM complexity on /products/observabilityThe page should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.The page contains 3479 DOM elements, exceeding the acceptable limit.✗ FAIL
20Measure page weight on /products/observabilityThe page should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.The page weighs 3.93 MB, exceeding the good threshold.■ UX
21FCP · /botid≤1.8s good · ≤3.0s needs improvement0.22s✓ PASS
22LCP · /botid≤2.5s good · ≤4.0s needs improvement0.22s✓ PASS
23CLS · /botid≤0.1 good · ≤0.25 needs improvement0.000✓ PASS
24Measure DOM complexity on /botidThe page should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.The page contains 2280 DOM elements, which is acceptable.■ UX
25Measure page weight on /botidThe page should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.The page weighs 3.76 MB, exceeding the good threshold.■ UX
TS-RESPONSIVE — Responsive Layout Checks
#Test StepExpected ResultActual ResultStatus
1Test homepage responsiveness on mobile (375×812)The homepage should display without horizontal overflow, have no clipped text, and all interactive elements should be at least 44 pixels tall.No horizontal overflow observed. However, 4 elements are clipped, and 88 of 101 touch targets are smaller than the recommended 44 pixels.■ UX
2Test homepage responsiveness on tablet (768×1024)The homepage should display without horizontal overflow and have no clipped text.No horizontal overflow observed, but 1 element is clipped.■ UX
3Test homepage responsiveness on desktop (1440×900)The homepage should display without horizontal overflow and have no clipped text.No horizontal overflow observed, but 1 element is clipped.■ UX
4Test /products/previews responsiveness on mobile (375×812)The page should display without horizontal overflow, have no clipped text, and all interactive elements should be at least 44 pixels tall.No horizontal overflow observed. However, 2 elements are clipped, and 69 of 73 touch targets are smaller than the recommended 44 pixels.■ UX
5Test /products/previews responsiveness on tablet (768×1024)The page should display without horizontal overflow and have no clipped text.No horizontal overflow observed, but 2 elements are clipped.■ UX
6Test /products/previews responsiveness on desktop (1440×900)The page should display without horizontal overflow and have no clipped text.No horizontal overflow observed, but 3 elements are clipped.■ UX
7Test /botid responsiveness on mobile (375×812)The page should display without horizontal overflow, have no clipped text, and all interactive elements should be at least 44 pixels tall.No horizontal overflow observed. However, 2 elements are clipped, and 70 of 78 touch targets are smaller than the recommended 44 pixels.■ UX
8Test /botid responsiveness on tablet (768×1024)The page should display without horizontal overflow and have no clipped text.No horizontal overflow observed, but 2 elements are clipped.■ UX
9Test /botid responsiveness on desktop (1440×900)The page should display without horizontal overflow and have no clipped text.No horizontal overflow observed, but 2 elements are clipped.■ UX
10Viewport meta tagcaptured once on the first sample page`<meta name="viewport" content="width=device-width, ...">`Present, width=device-width, initial-scale=1, maximum-scale=1.✓ PASS
TS-STATE — State & Navigation
#Test StepExpected ResultActual ResultStatus
1Deep-link navigation to inner pagehttps://vercel.com/homeDirect GET on the inner URL renders contentLoaded, HTTP 200, body length 5237.✓ PASS
2Browser back returns to a working previous pagehttps://vercel.com/ → https://vercel.com/home → backGoing back re-renders the previous page (no blank / error screen)Back, HTTP 200, body length 5237.✓ PASS
3Page reload renders cleanlyhttps://vercel.com/homeReload renders the page without errorsReloaded, HTTP 200, body length 5237.✓ PASS
4Inner pages have unique meaningful URLsinspected first 5 inner pagesEach inner page has its own path-based URL (not just a `#` fragment on the homepage)All 5 URLs unique✓ PASS
TS-CONTRAST — Color Contrast (WCAG 2.1)
#Test StepExpected ResultActual ResultStatus
1Measure color contrast on the homepageAll text should meet WCAG 2.1 color contrast standards (at least 4.5:1 for normal text, 3:1 for large text).1 of 50 sampled text elements falls below the required contrast ratio.✗ FAIL
2Measure color contrast on /products/previewsAll text should meet WCAG 2.1 color contrast standards (at least 4.5:1 for normal text, 3:1 for large text).3 of 48 sampled text elements fall below the required contrast ratio.✗ FAIL
3Measure color contrast on /botidAll text should meet WCAG 2.1 color contrast standards (at least 4.5:1 for normal text, 3:1 for large text).3 of 48 sampled text elements fall below the required contrast ratio.✗ FAIL
4Bug Summary Matrix
A consolidated dashboard view of every unique finding from this scan. Detailed entries follow in the next section.
IDTitleSeverityPriorityStatus
BUG-001Pre-consent cookie firing with no visible banner — GDPR/CCPA violationCriticalP1• New
BUG-002Color contrast failures (site-wide)HighP1• New
BUG-00359 console errors across 14 pages indicate systemic JS runtime failuresHighP1• New
BUG-004Client-side routing returns HTTP 200 for all unknown paths — no real 404HighP1• New
BUG-005CTA click triggers a JavaScript errorHighP1• New
BUG-006Cookie "_v-anonymous-id-renewed" missing HttpOnly flagHighP1• New
BUG-007Cookie "_v-anonymous-id" missing HttpOnly flagHighP1• New
BUG-008Cookie "_v-consent" missing HttpOnly flagHighP1• New
BUG-009Missing security headers inconsistent across pages — edge config gapHighP1• New
BUG-010Undersized touch targets on mobileHighP1• New
BUG-011Buttons without an accessible nameMediumP2• New
BUG-012Links without an accessible nameMediumP2• New
BUG-013Multiple `<h1>` elements on the same pageMediumP2• New
BUG-014Broken and unverifiable social/external links undermine content credibilityMediumP2• New
BUG-015Console error: Cross-origin fetch blocked by browser policyMediumP2• New
BUG-016Console error: Failed to load resource with HTTP error statusMediumP2• New
BUG-017Console error: Network request failed (net::ERR_FAILED)MediumP2• New
BUG-018External link returns 404MediumP2• New
BUG-019No offline / cached state on sample pageMediumP2• New
BUG-020Page weight and DOM size bloat across multiple product pagesMediumP2• New
BUG-021CSP violations from first-party resources indicate misconfigured policyMediumP2• New
BUG-022Missing security response headersMediumP2• New
BUG-023No cookie / consent banner detected in homepage HTMLMediumP2• New
BUG-024Server software disclosed via X-Powered-By headerMediumP2• New
BUG-025Tracking cookies set before user consentMediumP2• New
BUG-026Images with empty `alt=""` (verify decorative intent)LowP3• New
BUG-027Skipped heading levels in page hierarchyLowP3• New
BUG-028Console error: Connection blocked by Content-Security-PolicyLowP3• New
BUG-029Console error: Font blocked by Content-Security-PolicyLowP3• New
BUG-030No service worker registered (no offline support)LowP3• New
BUG-031Heavy page weightLowP3• New
BUG-032Oversized DOMLowP3• New
BUG-033No rate-limit signal observed on homepage burstLowP3• New
BUG-034Content clipped at Desktop (1440px)LowP3• New
BUG-035Content clipped at Mobile (375px)LowP3• New
BUG-036Content clipped at Tablet (768px)LowP3• New
BUG-037Missing favicon linkLowP3• New
BUG-038Missing SEO metadataLowP3• New
BUG-039Page title too long (longest 67 chars)LowP3• New
5Detailed Bug Reports
Each finding's BUG-NNN identifier matches its row in the Bug Summary Matrix.
BUG-001 Pre-consent cookie firing with no visible banner — GDPR/CCPA violation
Critical P1 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open an incognito browser window and navigate to https://vercel.com/
  2. Immediately open DevTools → Application → Cookies before any interaction
  3. Observe _v-consent, _v-anonymous-id, and _v-anonymous-id-renewed already set
  4. Confirm no cookie consent banner or modal is visible or present in the DOM
Expected Result
No non-essential cookies should be set until the user has been shown a consent banner and made an affirmative choice; the _v-consent cookie should only be written after consent is given.
Actual Result
All 3 detected cookies are set pre-consent on every page load; no consent banner pattern was found in homepage HTML, meaning users are never shown a choice.
BUG-002 Color contrast failures (site-wide)
High P1 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in DevTools → Inspect
  2. Locate the element matching `span.px-1.h-5`
  3. In the Styles pane, hover the computed `color` value — DevTools renders the live contrast ratio
  4. Adjust either color (typically darkening the foreground) until the ratio clears the threshold
Expected Result
Contrast ratio should be at least 4.5:1 for normal body text (3:1 for large text 18pt+ or 14pt bold+).
Actual Result
Text "'openai/gpt-5.5'" has contrast ratio 4.13:1 (blue text on light blue background) on https://vercel.com/.
BUG-003 59 console errors across 14 pages indicate systemic JS runtime failures
High P1 • New
https://vercel.com/ (Desktop)
Steps to Reproduce
  1. Open Chrome DevTools Console on https://vercel.com/
  2. Set filter to 'Errors'
  3. Reload the page without cache
  4. Observe multiple console errors including 403 resource failures and CORS violations
  5. Repeat on https://vercel.com/home and https://vercel.com/ai-sdk to confirm the pattern is site-wide
Expected Result
A production marketing site should have zero console errors on standard page loads; any third-party or analytics failures should be silently caught and not pollute the console.
Actual Result
59 errors across 5 patterns on 14 of 15 pages including 403 resource failures, CORS redirect blocks to ai-sdk.dev, ERR_FAILED network errors, font CSP violations, and WebSocket/connection CSP violations.
BUG-004 Client-side routing returns HTTP 200 for all unknown paths — no real 404
High P1 • New
https://vercel.com/xyz (Desktop)
Steps to Reproduce
  1. In a browser or curl, request https://vercel.com/this-page-does-not-exist
  2. Observe the HTTP response status is 200, not 404
  3. Inspect the response body — it does not contain a recognizable Vercel-branded 404 error page
  4. Repeat with https://vercel.com/aaaa (500 'a' characters) — same result
Expected Result
Requests for non-existent pages should return HTTP 404 with a branded, user-friendly error page to inform users, prevent SEO index pollution, and enable accurate uptime monitoring.
Actual Result
All 5 not-found probes returned HTTP 200 with a non-branded response body, confirming the server never signals a missing resource.
BUG-005 CTA click triggers a JavaScript error
High P1 • New
https://vercel.com/ai-sdk (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ai-sdk in a browser with DevTools → Console open
  2. Locate the link labeled "Get Started"
  3. Click it
  4. Observe console error: "Failed to fetch"
Expected Result
Clicking the CTA should trigger its intended action with no JavaScript errors.
Actual Result
Clicking "Get Started" (link) on https://vercel.com/ai-sdk produced a "Failed to fetch" JavaScript error.
BUG-006 Cookie "_v-anonymous-id-renewed" missing HttpOnly flag
High P1 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. curl -I 'https://vercel.com/'
  2. Locate the 'Set-Cookie' response header for the cookie named "_v-anonymous-id-renewed"
  3. Confirm the HttpOnly flag is absent
Expected Result
All cookies should include the HttpOnly flag (e.g., Set-Cookie: name=value; HttpOnly; Secure; SameSite=Lax).
Actual Result
Cookie "_v-anonymous-id-renewed" observed on https://vercel.com/ is missing the HttpOnly flag in its Set-Cookie response header.
BUG-007 Cookie "_v-anonymous-id" missing HttpOnly flag
High P1 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. curl -I 'https://vercel.com/'
  2. Locate the 'Set-Cookie' response header for the cookie named "_v-anonymous-id"
  3. Confirm the HttpOnly flag is absent
Expected Result
All cookies should include the HttpOnly flag (e.g., Set-Cookie: name=value; HttpOnly; Secure; SameSite=Lax).
Actual Result
Cookie "_v-anonymous-id" observed on https://vercel.com/ is missing the HttpOnly flag in its Set-Cookie response header.
BUG-008 Cookie "_v-consent" missing HttpOnly flag
High P1 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. curl -I 'https://vercel.com/'
  2. Locate the 'Set-Cookie' response header for the cookie named "_v-consent"
  3. Confirm the HttpOnly flag is absent
Expected Result
All cookies should include the HttpOnly flag (e.g., Set-Cookie: name=value; HttpOnly; Secure; SameSite=Lax).
Actual Result
Cookie "_v-consent" observed on https://vercel.com/ is missing the HttpOnly flag in its Set-Cookie response header.
BUG-009 Missing security headers inconsistent across pages — edge config gap
High P1 • New
https://vercel.com/ (Desktop)
Steps to Reproduce
  1. Open DevTools Network tab on https://vercel.com/
  2. Reload the page and inspect the response headers for the document request
  3. Note the absence of Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy
  4. Repeat on a second internal page and compare — headers present on one, absent on another
Expected Result
All pages should consistently return the full set of recommended security response headers regardless of which origin or route serves them.
Actual Result
1 of 2 sampled pages is missing CSP, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy; Permissions-Policy is absent on all sampled pages, meaning the gap is partial and route-dependent.
BUG-010 Undersized touch targets on mobile
High P1 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in Chrome DevTools at device width 375px
  2. Highlight each interactive element in turn and check its bounding-box dimensions
  3. Increase padding so the bounding box is ≥ 44×44 px
Expected Result
All interactive elements should be at least 44×44 pixels at the mobile viewport.
Actual Result
88 of 101 interactive elements are below 44px on mobile (375×812). Examples: menu button (90×18px), toggle button (32×32px).
BUG-011 Buttons without an accessible name
Medium P2 • New
https://vercel.com/ai-sdk (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ai-sdk in DevTools → Elements tab
  2. Run `[...document.querySelectorAll('button')].filter(b => !b.innerText.trim() && !b.getAttribute('aria-label'))` in Console
  3. Add an `aria-label` describing the action to each match
Expected Result
Each button must have a visible label or an `aria-label` attribute (e.g., `<button aria-label="Close">×</button>`).
Actual Result
17 of 273 buttons have neither visible text nor aria-label across 2 crawled pages.
BUG-012 Links without an accessible name
Medium P2 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in DevTools → Elements tab
  2. Run `[...document.querySelectorAll('a[href]')].filter(a => !a.innerText.trim() && !a.getAttribute('aria-label') && !a.querySelector('img[alt]'))` in Console
  3. Add visible text, `aria-label`, or an inner `<img alt>` to each match
Expected Result
Each link must have a visible label, an `aria-label`, or an image with alt text describing the destination.
Actual Result
34 of 1787 links lack an accessible name across 15 crawled pages.
BUG-013 Multiple `<h1>` elements on the same page
Medium P2 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in DevTools → Elements tab
  2. Search the DOM for `h1` elements
  3. Confirm 2 <h1> elements are present
  4. Promote one as the page title; demote the rest to <h2>
Expected Result
Exactly one `<h1>` element per page.
Actual Result
3 of 15 crawled pages contain multiple <h1> elements (for example, 2 on https://vercel.com/).
BUG-014 Broken and unverifiable social/external links undermine content credibility
Medium P2 • New
https://vercel.com/ai-sdk (Desktop)
Steps to Reproduce
  1. Navigate to https://vercel.com/ai-sdk
  2. Find and click the GitHub Discussions community link
  3. Observe the GitHub 404 page
  4. Separately, attempt to visit https://x.com/vercel — observe access restriction
Expected Result
All externally linked URLs on product pages should resolve successfully; community and documentation links are especially critical on developer-focused pages.
Actual Result
https://github.com/vercel/ai/discussions returns HTTP 404; https://x.com/vercel returns HTTP 403; the GitHub link is a hard failure on the AI SDK product page.
BUG-015 Console error: Cross-origin fetch blocked by browser policy
Medium P2 • New
https://vercel.com/home (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/home in Chrome DevTools → Console
  2. Reload the page with the console open
  3. Locate the matching error entry and follow the stack trace into the source
  4. Fix the failing call or guard against the input that triggered it
Expected Result
Cross-origin requests should be explicitly permitted via CORS headers or use same-origin requests.
Actual Result
13 instances of blocked fetch requests (attempting to reach 'https://ai-sdk.dev/' from 'https://vercel.com/...') across 13 pages.
BUG-016 Console error: Failed to load resource with HTTP error status
Medium P2 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in Chrome DevTools → Console
  2. Reload the page with the console open
  3. Locate the matching error entry and follow the stack trace into the source
  4. Fix the failing call or guard against the input that triggered it
Expected Result
All referenced resources should load successfully (HTTP 2xx or valid 3xx redirects).
Actual Result
28 instances of "Failed to load resource: the server responded with a status of 403" across 14 pages. First observed on https://vercel.com/.
BUG-017 Console error: Network request failed (net::ERR_FAILED)
Medium P2 • New
https://vercel.com/home (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/home in Chrome DevTools → Console
  2. Reload the page with the console open
  3. Locate the matching error entry and follow the stack trace into the source
  4. Fix the failing call or guard against the input that triggered it
Expected Result
All network requests should complete successfully.
Actual Result
13 instances of "Failed to load resource: net::ERR_FAILED" across 13 pages. First observed on https://vercel.com/home.
BUG-018 External link returns 404
Medium P2 • New
https://vercel.com/ai-sdk (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ai-sdk in a browser
  2. Click the link to https://github.com/vercel/ai/discussions
  3. Observe HTTP 404
  4. Update the link target or remove the reference
Expected Result
Outbound links should point to pages that exist and respond with HTTP 2xx (or valid 3xx redirects).
Actual Result
https://github.com/vercel/ai/discussions returned HTTP 404.
BUG-019 No offline / cached state on sample page
Medium P2 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/
  2. Open DevTools → Network → toggle 'Offline'
  3. Reload and observe what the user sees
  4. Implement a service worker that caches the shell, or render an offline fallback page
Expected Result
Offline navigation should display either a cached version of the page or a branded offline message.
Actual Result
Offline navigation to https://vercel.com/ resulted in a browser error: net::ERR_INTERNET_DISCONNECTED.
BUG-020 Page weight and DOM size bloat across multiple product pages
Medium P2 • New
https://vercel.com/ai-gateway (Desktop)
Steps to Reproduce
  1. Open Chrome DevTools → Network tab, disable cache, and navigate to https://vercel.com/ai-gateway
  2. Check the total transferred size in the Network summary bar — observe ~4.21 MB
  3. Open DevTools Console and run: document.querySelectorAll('*').length — observe ~2539
  4. Repeat on https://vercel.com/products/previews and https://vercel.com/
Expected Result
Pages should transfer under 1.5 MB and maintain fewer than 1500 DOM nodes to meet Google's Lighthouse performance budgets and ensure fast Time to Interactive on mid-range devices.
Actual Result
/ai-gateway transfers 4.21 MB with 2539 DOM nodes; /products/previews transfers 3.79 MB with 2416 DOM nodes; the homepage DOM alone has 3195 nodes, all flagged as exceeding thresholds.
BUG-021 CSP violations from first-party resources indicate misconfigured policy
Medium P2 • New
https://vercel.com/home (Desktop)
Steps to Reproduce
  1. Open DevTools Console on https://vercel.com/home
  2. Observe CSP violation errors referencing https://k2mkucxia43oc7fa.public.blob.vercel-storage.com and https://ai-sdk.dev/
  3. Cross-reference with the Network tab to confirm those resources fail to load
  4. Note that on other pages the CSP header is entirely absent, creating an inconsistent policy surface
Expected Result
A correctly configured CSP should allow all legitimate first-party fonts and known third-party API connections while blocking unknown origins; no first-party resources should be CSP-blocked in production.
Actual Result
Console shows 'Loading the font violates the following Content Security Policy directive' for a Vercel blob storage URL, and 'Connecting to https://ai-sdk.dev/ violates the following Content Security Policy directive', causing resource load failures on production pages.
BUG-022 Missing security response headers
Medium P2 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. curl -I 'https://vercel.com/'
  2. Inspect the response headers — 'Content-Security-Policy' should be present
  3. (Most security headers are configured at the web-server or CDN layer; check the deployment platform's docs.)
Expected Result
Every page response should include a Content-Security-Policy header that restricts script sources.
Actual Result
Content-Security-Policy header is not present on responses from this site (1 of 2 pages sampled).
BUG-023 No cookie / consent banner detected in homepage HTML
Medium P2 • New
https://vercel.com (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in a private window (no prior session)
  2. Verify whether a consent banner appears
  3. If only after-JS, consider server-side rendering it so static crawlers / accessibility tools see it
Expected Result
A cookie / consent banner should be visible in the initial page HTML or appear immediately on load.
Actual Result
Homepage HTML response did not contain any of the standard consent-banner selectors (e.g., `.cookie-banner`, `.cookie-consent`).
BUG-024 Server software disclosed via X-Powered-By header
Medium P2 • New
https://vercel.com (Desktop + Mobile)
Steps to Reproduce
  1. curl -I 'https://vercel.com/'
  2. Confirm the X-Powered-By response header is present and discloses the software
  3. Configure the server / reverse proxy to remove or anonymize the header
Expected Result
The `X-Powered-By` header should be absent or contain no version or framework identifiers.
Actual Result
X-Powered-By header reveals: Next.js, Payload
BUG-025 Tracking cookies set before user consent
Medium P2 • New
https://vercel.com (Desktop + Mobile)
Steps to Reproduce
  1. curl -I 'https://vercel.com/'
  2. Inspect the `Set-Cookie` response headers
  3. Cross-check each cookie name against the strict-necessary list
  4. Move tracking cookies behind a consent gate (or implement one)
Expected Result
Tracking and analytics cookies should only be set after the user accepts them in a consent banner.
Actual Result
3 cookies set on first load (names: _v-consent, _v-anonymous-id, _v-anonymous-id-renewed) before user consent.
BUG-026 Images with empty `alt=""` (verify decorative intent)
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in DevTools → Elements tab
  2. Run `[...document.querySelectorAll('img[alt=""]')]` in Console
  3. Review each — replace empty alt with descriptive text on non-decorative images
Expected Result
Empty alt text only on images that are purely decorative or redundant.
Actual Result
143 of 452 images use empty alt text across 15 crawled pages. Review each to confirm it is decorative.
BUG-027 Skipped heading levels in page hierarchy
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in DevTools
  2. Run `[...document.querySelectorAll('h1,h2,h3,h4,h5,h6')].map(h => h.tagName)` in Console
  3. Confirm at least one adjacent pair skips a level (e.g. H1 followed by H3)
  4. Rebalance: demote skipped levels or insert the missing intermediate heading
Expected Result
Heading levels should descend without gaps (e.g., h1, h2, h3 in order).
Actual Result
8 of 15 crawled pages skip at least one heading level in their hierarchy.
BUG-028 Console error: Connection blocked by Content-Security-Policy
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in Chrome DevTools → Console
  2. Reload the page with the console open
  3. Locate the matching error entry and follow the stack trace into the source
  4. Fix the failing call or guard against the input that triggered it
Expected Result
Required external domains should be listed in the CSP's `connect-src` directive.
Actual Result
1 instance of a blocked connection to 'https://ai-sdk.dev/' due to CSP restrictions (https://vercel.com/).
BUG-029 Console error: Font blocked by Content-Security-Policy
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in Chrome DevTools → Console
  2. Reload the page with the console open
  3. Locate the matching error entry and follow the stack trace into the source
  4. Fix the failing call or guard against the input that triggered it
Expected Result
Font sources should be permitted in the CSP, or fonts should be self-hosted.
Actual Result
4 instances of font-loading failures due to CSP violations across 1 page (https://vercel.com/).
BUG-030 No service worker registered (no offline support)
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ → DevTools → Application → Service workers
  2. Confirm no service worker is registered
  3. (Optional) Register a service worker to enable offline caching and faster repeat loads
Expected Result
A service worker should be registered to cache content and enable offline access.
Actual Result
No service worker registrations detected on https://vercel.com/.
BUG-031 Heavy page weight
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in Chrome DevTools → Lighthouse → Performance
  2. Run an audit and confirm the Weight metric exceeds the "good" threshold
  3. Compare against ≤3 MB good · ≤5 MB needs improvement thresholds (Google Core Web Vitals)
Expected Result
Page weight should not exceed 3 MB (5 MB is considered a hard fail).
Actual Result
https://vercel.com/ requires 3.70 MB of data to load (verdict: UX concern).
BUG-032 Oversized DOM
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in Chrome DevTools → Lighthouse → Performance
  2. Run an audit and confirm the DOM metric exceeds the "good" threshold
  3. Compare against ≤1500 elements good · ≤3000 needs improvement thresholds (Google Core Web Vitals)
Expected Result
DOM size should not exceed 1,500 elements (up to 3,000 is acceptable with mitigation).
Actual Result
https://vercel.com/ contains 3,195 DOM elements.
BUG-033 No rate-limit signal observed on homepage burst
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Fire 20 parallel GET https://vercel.com/
  2. Inspect each response status + headers for 429 / X-RateLimit-* / Retry-After
  3. Add rate limiting at the CDN / edge / framework layer
Expected Result
Server should return HTTP 429 (Too Many Requests) or `X-RateLimit-*` / `Retry-After` headers when request rates are exceeded.
Actual Result
20 parallel requests to the homepage all succeeded with no rate-limit signal.
BUG-034 Content clipped at Desktop (1440px)
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ and resize the browser to 1440×900
  2. Inspect the first offender element and verify its computed `overflow` is `hidden`
  3. Compare `scrollWidth` vs `clientWidth` in DevTools → Properties tab
  4. Replace `overflow: hidden` with a wrapping rule, or add `text-overflow: ellipsis`
Expected Result
Text should fit the visible area or be truncated with `text-overflow: ellipsis`.
Actual Result
1 element clips content on desktop (1440px width): grid block (359px → 359px).
BUG-035 Content clipped at Mobile (375px)
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ and resize the browser to 375×812
  2. Inspect the first offender element and verify its computed `overflow` is `hidden`
  3. Compare `scrollWidth` vs `clientWidth` in DevTools → Properties tab
  4. Replace `overflow: hidden` with a wrapping rule, or add `text-overflow: ellipsis`
Expected Result
Text should fit the visible area or be truncated with `text-overflow: ellipsis`.
Actual Result
4 elements clip content on mobile (375px width). Examples: hero grid wrapper (342px → 469px), grid block (341px), screen-reader-only region (293px → 499px).
BUG-036 Content clipped at Tablet (768px)
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ and resize the browser to 768×1024
  2. Inspect the first offender element and verify its computed `overflow` is `hidden`
  3. Compare `scrollWidth` vs `clientWidth` in DevTools → Properties tab
  4. Replace `overflow: hidden` with a wrapping rule, or add `text-overflow: ellipsis`
Expected Result
Text should fit the visible area or be truncated with `text-overflow: ellipsis`.
Actual Result
1 element clips content on tablet (768px width): grid block (367px → 367px).
BUG-037 Missing favicon link
Low P3 • New
https://vercel.com (Desktop + Mobile)
Steps to Reproduce
  1. curl -s 'https://vercel.com/' | grep -iE 'rel="(icon|shortcut icon)"'
  2. Confirm no matching tag is present
  3. Add the missing tag inside `<head>`
Expected Result
`<link rel="icon">` should be declared in the page's `<head>` section.
Actual Result
Homepage HTML for https://vercel.com/ does not include a favicon link tag.
BUG-038 Missing SEO metadata
Low P3 • New
https://vercel.com/sandbox (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/sandbox → View source
  2. Locate `<meta name="description" content="...">`
  3. Rewrite content to fit 50–160 characters
Expected Result
Meta description should be 50–160 characters.
Actual Result
2 of 15 page descriptions are outside the 50–160 character range.
BUG-039 Page title too long (longest 67 chars)
Low P3 • New
https://vercel.com/ (Desktop + Mobile)
Steps to Reproduce
  1. Open https://vercel.com/ in DevTools → Elements
  2. Inspect the `<title>` element
  3. Confirm the text is 67 characters (target 10–60)
  4. Rewrite the title to fit the 10–60 character window
Expected Result
Page title length should be between 10 and 60 characters.
Actual Result
5 of 15 pages have titles out of range (2 too long, 3 too short). The longest is https://vercel.com/ at 67 characters.
6Highest-Priority Findings

Auto-generated from severity ranking. Manual review recommended.

The top critical and high-severity findings, in priority order. See the Detailed Bug Reports section for full reproduction steps.
  1. BUG-001 — Pre-consent cookie firing with no visible banner — GDPR/CCPA violation
  2. BUG-002 — Color contrast failures (site-wide)
  3. BUG-003 — 59 console errors across 14 pages indicate systemic JS runtime failures
  4. BUG-004 — Client-side routing returns HTTP 200 for all unknown paths — no real 404
  5. BUG-005 — CTA click triggers a JavaScript error
  6. BUG-006 — Cookie "_v-anonymous-id-renewed" missing HttpOnly flag
  7. BUG-007 — Cookie "_v-anonymous-id" missing HttpOnly flag
7Recommended Fix Order

Auto-generated from severity ranking. Manual review recommended.

Suggested remediation order. Engineering should validate the sequence against business priorities and dependency relationships before scheduling.
1Remove or gate all tracking cookies (_v-consent, _v-anonymous-id, _v-anonymous-id-renewed) behind explicit user consent and deploy a compliant cookie consent banner on the homepage to resolve the GDPR/CCPA violation.
2Add Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers consistently across all pages via a single edge/CDN middleware rule to close the security header gap in one change.
3Set the HttpOnly flag on all session and analytics cookies (_v-consent, _v-anonymous-id, _v-anonymous-id-renewed) to prevent JavaScript-based cookie theft.
4Fix the JavaScript fetch error on /ai-sdk that blocks the 'Get Started' CTA (pageerror: Failed to fetch) and causes the CORS redirect violation for https://ai-sdk.dev/ — investigate the cross-origin redirect and ensure the CTA navigates reliably.
5Remediate WCAG AA color contrast failures: the 1.66:1 ratio on /botid is critically low; audit and update text/background color tokens across /, /products/previews, and /botid.
6Add accessible names to all 34 unnamed links and 17 unnamed buttons — use aria-label or visible text; prioritize the 2 pages with unnamed buttons as they likely include key interactive controls.
7Fix the broken external link to https://github.com/vercel/ai/discussions (HTTP 404) on /ai-sdk — update to the current GitHub Discussions URL or remove the link.
8Resolve the multiple <h1> elements on 3 pages and fix heading-level skips on 8 pages to correct document outline structure for screen readers and SEO.
9Reduce page weight and DOM complexity on /ai-gateway (4.21 MB, 2539 elements) and /products/previews (3.79 MB, 2416 elements) through image optimization, code splitting, or lazy loading to improve Core Web Vitals.
10Remove or suppress the X-Powered-By: Next.js, Payload response header to avoid unnecessary technology fingerprinting by attackers.
8Recommended Manual Test Scenarios
Manual test scenarios recommended by the AI analyzer based on the crawled site structure. Hand this list to your QA team for execution — each scenario covers something the automation cannot verify on its own.
Happy Path (6)
TC-001 Navigate to AI Cloud product page from homepage
happy-path High
Precondition
User is on the homepage at https://vercel.com/
Steps
  1. Click the 'AI Cloud' link in the navigation
  2. Verify the page loads completely
Expected Result
User is redirected to https://vercel.com/ai and the page title displays 'Deploy AI at the speed of frontend'
TC-002 Access AI Gateway subproduct from AI Cloud page
happy-path High
Precondition
User is on https://vercel.com/ai
Steps
  1. Click the 'AI Gateway' link
  2. Wait for page to fully load
Expected Result
User navigates to https://vercel.com/ai-gateway and sees AI Gateway documentation with SDK options
TC-003 Navigate through multiple product pages using breadcrumb trail
happy-path Medium
Precondition
User is on homepage
Steps
  1. Click 'Products' button in navigation
  2. Click 'CI/CD' link to go to https://vercel.com/products/previews
  3. Click 'Products' again to see options
  4. Click 'Observability' link to go to https://vercel.com/products/observability
Expected Result
User can navigate between different product pages without errors
TC-004 Search functionality using keyboard shortcut
happy-path Medium
Precondition
User is on https://vercel.com/ai-sdk page
Steps
  1. Press the keyboard shortcut for search (⌘K or Ctrl+K)
  2. Verify search dialog opens
Expected Result
Search dialog appears on screen, ready for user input
TC-005 Verify sign-in button navigation
happy-path High
Precondition
User is on https://vercel.com/ai-sdk
Steps
  1. Click 'Sign in with Vercel' button
  2. Verify page navigates or modal opens for authentication
Expected Result
User is taken to a sign-in or authentication flow
TC-006 Test anchor link navigation within same page
happy-path Medium
Precondition
User is on https://vercel.com/ page with anchor links
Steps
  1. Click the 'Skip to content' anchor link (https://vercel.com/#geist-skip-nav)
  2. Verify focus moves and page scrolls to target section
Expected Result
Page scrolls smoothly to the anchor target; focus is set on the target element
Edge Cases (4)
TC-007 Test browser back button during navigation flow
edge-case Medium
Precondition
User is on https://vercel.com/
Steps
  1. Click 'AI Cloud' link to navigate to https://vercel.com/ai
  2. Click 'Vercel Agent' link to navigate to https://vercel.com/agent
  3. Press browser back button
  4. Press browser back button again
Expected Result
Each back button press returns to the previous page in history, ending at homepage
TC-008 Test rapid sequential navigation to AI product pages
edge-case Medium
Precondition
User is on https://vercel.com/
Steps
  1. Click 'AI Cloud' link
  2. Before page fully loads, click browser back button
  3. Click 'AI Gateway' link
  4. Before page fully loads, click 'Sandbox' link
Expected Result
Page requests are properly cancelled or handled; final page displays correct content without console errors
TC-009 Test navigation with very long page scroll and focus management
edge-case Medium
Precondition
User is on https://vercel.com/security or another page with extensive vertical content
Steps
  1. Scroll to the bottom of the page
  2. Click a link to a new page (e.g., 'Bot Management')
  3. Verify page loads and scroll position resets
Expected Result
New page loads with scroll position at the top; no scroll position carried over from previous page
TC-010 Test special characters in navigation flow
edge-case Low
Precondition
User is on https://vercel.com/
Steps
  1. Click multiple links with special characters in their text (e.g., 'AI SDK', 'CI/CD')
  2. Verify each page loads correctly
Expected Result
All pages with special characters in their names load and render properly
Security (3)
TC-011 Test XSS injection in search input field
security High
Precondition
User is on https://vercel.com/ai-sdk with search dialog open
Steps
  1. Open search dialog using ⌘K
  2. Type payload: <script>alert('XSS')</script>
  3. Press Enter to submit search
Expected Result
No JavaScript alert appears; payload is either sanitized or escaped in results
TC-012 Test SQL injection-shaped payload in search
security High
Precondition
User is on https://vercel.com/ai-sdk with search dialog open
Steps
  1. Open search dialog using ⌘K
  2. Type payload: ' OR '1'='1
  3. Press Enter to submit search
Expected Result
Search returns normal results or error message; no database errors exposed
TC-013 Attempt to access restricted page without authentication
security High
Precondition
User is not authenticated
Steps
  1. Navigate directly to a potentially protected URL (e.g., dashboard or admin path if one exists)
  2. Observe response and page content
Expected Result
User is either redirected to login page or sees 'unauthorized' message; no sensitive data is exposed
UX & Responsive (5)
TC-014 Test skip-to-content navigation shortcut
ux Medium
Precondition
User is on https://vercel.com/
Steps
  1. Press Tab key to activate the first focusable element
  2. Verify 'Skip to content' link is visible
  3. Click the 'Skip to content' link
  4. Verify focus moves to main content area
Expected Result
Skip link navigates to the main content section, improving keyboard accessibility
TC-015 Verify responsive layout on mobile viewport
ux Medium
Precondition
User is on https://vercel.com/ with desktop viewport
Steps
  1. Resize browser to mobile width (375px)
  2. Verify navigation menu is accessible
  3. Verify all buttons and links remain clickable
  4. Scroll through entire page and check text readability
Expected Result
Layout adapts correctly to mobile width, all interactive elements remain functional and readable
TC-016 Verify all main navigation buttons are accessible
ux High
Precondition
User is on https://vercel.com/
Steps
  1. Use Tab key to navigate to each top-level navigation button
  2. Verify each button has visible focus indicator
  3. Verify each button is keyboard-clickable with Enter key
Expected Result
All navigation buttons (Products, Resources, Solutions, Ask AI) respond to keyboard navigation and clicks
TC-017 Verify empty state handling when no search results found
ux Medium
Precondition
User is on https://vercel.com/ai-sdk with search dialog open
Steps
  1. Open search dialog using ⌘K
  2. Type a nonsensical search query: 'xyzabc123nonexistent'
  3. Press Enter
Expected Result
Search displays an empty state message indicating no results found; UI remains responsive
TC-018 Verify loading state behavior during slow network conditions
ux Medium
Precondition
User is on https://vercel.com/ with network throttling enabled (slow 3G)
Steps
  1. Click a product link to navigate to a new page
  2. Observe the page while it is loading
Expected Result
Loading indicators or skeleton screens appear; page content renders progressively without blocking interaction
9Summary & Observations
Testing Outcome — Automated Scan

Critical and high-severity findings cluster around functional / security issues — recommend an engineering triage session before scheduling remediation.

An automated scan can only validate what it can statically observe (DOM, console, load timing). Recommend a manual review of business-critical flows (auth, payment, data submission) before sign-off.

Report Generated by QA Explorer — Confidential