Sample report. This is a real QA Explorer scan, run on vercel.com on 2026-05-22. Want to see what we'd find on your site? Drop your URL below to run your own free scan.

QA Report

https://vercel.com/

9bd542e3-1469-48b4-88da-de510f46c184 · May 22, 2026, 12:28 PM · 443s

1Critical9High15Medium14Low15 pages scanned

PDF Markdown CSV

Quality Assurance

vercel.com

Automated scan of vercel.com via QA Explorer (claude-sonnet-4-6). Covered 15 pages, ran 246 scripted test cases (177 passed), and surfaced 39 unique findings across functionality, UX, accessibility, performance, and security.

Confidential

Environment	https://vercel.com/
Project	vercel.com
Methodology	Automated end-to-end exploratory scan (Playwright + DOM extraction)
Tester	QA Explorer (automated)
Report Date	2026-05-22

New Bugs

—

Bugs Fixed

—

UX Improved

246

Cases Run

177

Passed

39 findings · 1 critical · 9 high · 39 unique

1Executive Summary

Vercel's marketing site is structurally sound — all 15 pages returned successful responses, internal links are clean, and navigation works as expected. However, the scan uncovered a meaningful cluster of security, accessibility, and reliability issues that collectively create legal exposure, undermine trust, and deliver a degraded experience to users with disabilities or slow connections.

The most serious issues are in three areas. First, tracking cookies are being set on visitors' browsers before any consent is obtained, and no consent banner was detected — this is a likely violation of GDPR, CCPA, and similar privacy regulations, and is especially ironic on a platform that markets compliance features. Second, several security response headers are missing inconsistently across pages, suggesting a misconfiguration at the CDN or edge layer rather than a deliberate policy. Third, the site has significant accessibility gaps: multiple pages have insufficient color contrast that fails WCAG AA, 34 links and 17 buttons have no accessible name, and heading structure is broken on many pages — collectively these may constitute ADA/WCAG non-compliance for a flagship commercial product.

The team should address the cookie consent issue immediately as it carries regulatory risk, then fix the edge-layer header configuration in a single pass to resolve the cluster of missing security headers. Accessibility remediation — contrast ratios, accessible names on interactive elements, and heading hierarchy — should follow as a coordinated sprint. Finally, the broken GitHub Discussions external link, the JavaScript fetch error blocking the 'Get Started' CTA, and the oversized page payloads on the AI Gateway and Previews pages should be resolved to protect conversion and performance.

Production impact. 1 critical defect is present and should block release until remediated.

2Test Scope & Environment

Field	Value
Application	vercel.com
Environment	https://vercel.com/
Methodology	Automated end-to-end exploratory scan — headless Chromium crawls same-origin links, captures DOM/console/screenshots, analyzer derives findings.
Pages Scanned	15
Duration	2 min 48 s
Report ID	9bd542e3-1469-48b4-88da-de510f46c184
Analyzer	claude-sonnet-4-6

3Test Execution Details

Scripted test cases executed against the target. Status values follow the test runner's convention (PASS / FAIL / UX / BLOCKED).

TS-NAV — Navigation & Page Load Tests

#	Test Step	Expected Result	Actual Result	Status
1	Open homepage	The homepage should load successfully with all primary content visible.	HTTP 200, loaded in 0.49s, 36 headings, 134 links, 48 images.	✓ PASS
2	Open Home page	The Home page should load successfully with all content visible.	HTTP 200, loaded in 0.72s, 36 headings, 134 links, 48 images.	✓ PASS
3	Open Ai page	The Ai page should load successfully with all content visible.	HTTP 200, loaded in 0.39s, 32 headings, 122 links, 47 images.	✓ PASS
…	… and 12 more — all passed			✓ PASS

TS-LINKS — Internal Link Health

#	Test Step	Expected Result	Actual Result	Status
1	HEAD /"Skip to content"	The "Skip to content" link should resolve to a working page.	Link resolves correctly (HTTP 200).	✓ PASS
2	HEAD /home"Skip to content" · linked from 14 pages	The "Skip to content" link should resolve to a working page.	Link resolves correctly (HTTP 200).	✓ PASS
3	HEAD /ai"AI Cloud" · linked from 14 pages	The "AI Cloud" link should resolve to a working page.	Link resolves correctly (HTTP 200).	✓ PASS
…	… and 47 more — all passed			✓ PASS

TS-SEC — Security Headers & Cookies

#	Test Step	Expected Result	Actual Result	Status
1	Check Strict-Transport-Security security headersampled 2 pages	Header present with max-age ≥ 31536000 (1 year)	Present, max-age=31536000; includeSubDomains; preload.	✓ PASS
2	Check for Content Security Policy header	The server should send a Content Security Policy header to protect against injection attacks.	The header was not set on 1 of 2 samples tested.	✗ FAIL
3	Check for X-Content-Type-Options header	The server should send an X-Content-Type-Options header set to 'nosniff' to prevent browsers from interpreting files as a different type.	The header was not set on 1 of 2 samples tested.	✗ FAIL
4	Check for X-Frame-Options header	The server should send an X-Frame-Options header set to either DENY or SAMEORIGIN to prevent clickjacking attacks.	The header was not set on 1 of 2 samples tested.	✗ FAIL
5	Check for Referrer-Policy header	The server should send a Referrer-Policy header to control how much referrer information is shared.	The header was not set on 1 of 2 samples tested.	✗ FAIL
6	Check for Permissions-Policy header	The server should send a Permissions-Policy header to control which browser features can be used.	The header was not set.	✗ FAIL
7	Check if '_v-consent' cookie has HttpOnly flag	The '_v-consent' cookie should be marked HttpOnly to prevent JavaScript from accessing it, reducing cross-site scripting risks.	The HttpOnly flag was not set on the cookie.	✗ FAIL
8	Cookie "_v-consent" — Secure flagsampled from /	Secure attribute set	Secure attribute present	✓ PASS
9	Cookie "_v-consent" — SameSite attributesampled from /	SameSite=Strict / Lax / None	SameSite=Lax	✓ PASS
10	Check if '_v-anonymous-id' cookie has HttpOnly flag	The '_v-anonymous-id' cookie should be marked HttpOnly to prevent JavaScript from accessing it, reducing cross-site scripting risks.	The HttpOnly flag was not set on the cookie.	✗ FAIL
11	Cookie "_v-anonymous-id" — Secure flagsampled from /	Secure attribute set	Secure attribute present	✓ PASS
12	Cookie "_v-anonymous-id" — SameSite attributesampled from /	SameSite=Strict / Lax / None	SameSite=Lax	✓ PASS
13	Check if '_v-anonymous-id-renewed' cookie has HttpOnly flag	The '_v-anonymous-id-renewed' cookie should be marked HttpOnly to prevent JavaScript from accessing it, reducing cross-site scripting risks.	The HttpOnly flag was not set on the cookie.	✗ FAIL
14	Cookie "_v-anonymous-id-renewed" — Secure flagsampled from /	Secure attribute set	Secure attribute present	✓ PASS
15	Cookie "_v-anonymous-id-renewed" — SameSite attributesampled from /	SameSite=Strict / Lax / None	SameSite=Lax	✓ PASS
16	Mixed Content scan across crawled pagesscanned 15 pages of console messages	No `http://` resources requested on HTTPS pages	No Mixed Content messages observed during crawl	✓ PASS

TS-A11Y — Accessibility Audit

#	Test Step	Expected Result	Actual Result	Status
1	HTML `lang` attribute presentchecked 15 pages	Every page sets `<html lang=...>` (screen readers / i18n)	All pages declare a lang attribute	✓ PASS
2	Verify each page has exactly one main heading	Every page should have exactly one H1 tag to clearly identify its primary topic.	3 of 15 pages had multiple H1 elements, making the page structure confusing for screen reader users.	✗ FAIL
3	Verify heading hierarchy is sequential	Headings should descend in order (H1 to H2 to H3) without skipping levels, so assistive technology users can navigate the page structure.	8 of 15 pages skip heading levels, which breaks the logical structure for users relying on assistive technology.	■ UX
4	Images declare an `alt` attributeinspected 452 images across 15 pages	Every `<img>` declares meaningful alt text (`alt=""` only for purely decorative images)	All images declare a non-empty `alt`	✓ PASS
5	Verify decorative images use empty alt text	Images used purely for decoration should have empty alt text (alt='') so screen readers skip them; images with content should have descriptive alt text.	143 images across 15 pages declare empty alt text — these should be reviewed to confirm they are truly decorative.	■ UX
6	Image resources return 2xxHEAD-checked 30 of 244 unique image srcs	Every `<img src>` resolves to a 2xx response	All 30 probed images returned 2xx	✓ PASS
7	Verify all buttons have accessible names	Every button should have a visible label or aria-label so screen reader users understand its purpose.	17 buttons on 2 pages lack an accessible name, making them inaccessible to screen reader users.	✗ FAIL
8	Verify all links have accessible names	Every link should have visible text or an aria-label so screen reader users understand where the link goes.	34 links across 15 pages lack an accessible name, making them unclear for screen reader users.	✗ FAIL

TS-XSS — Static XSS Surface

#	Test Step	Expected Result	Actual Result	Status
1	Text inputs declare a `maxlength` attributeinspected 0 text inputs across 15 pages	Every text-like input has `maxlength` so payloads cannot exceed a sane size	n/a (no text inputs discovered)	✓ PASS
2	State-mutating forms carry an anti-CSRF tokeninspected 0 POST/PUT/PATCH/DELETE forms	Every mutating form contains a hidden CSRF / authenticity token input	n/a (no mutating forms discovered)	✓ PASS
3	No inline event-handler attributesinspected 15 pages	No `onclick`/`onload`/`onerror`/… attributes in markup (use addEventListener)	No inline handlers found	✓ PASS
4	No `javascript:` URLs in `<a href>` attributesinspected links across 15 pages	`<a href>` values never use the `javascript:` scheme	No `javascript:` hrefs found	✓ PASS

TS-COOKIE — Cookies & Consent

#	Test Step	Expected Result	Actual Result	Status
1	Verify no tracking cookies are set before user consent	The site should not set any cookies that track user behavior until the user has explicitly consented.	All 3 cookies set on first load appear to be tracking cookies, suggesting cookies are set before consent.	✗ FAIL
2	Verify a cookie consent banner is present on the homepage	The homepage should display a visible cookie or consent banner so users can manage their preferences.	No cookie consent banner pattern was detected in the homepage HTML.	■ UX
3	No third-party cookies set by homepagecompared cookie Domain= against vercel.com	All Set-Cookie Domain attributes point to the same registrable domain as the page	All cookies are first-party	✓ PASS

TS-PAGE — Pagination Structure

#	Test Step	Expected Result	Actual Result	Status
1	Pagination detected on crawled pagesinspected 15 pages	Any paginated listing pages expose next / prev / page-N navigation	15 of 15 pages have pagination links	✓ PASS
2	Next / Prev links never point at the current page15 paginated pages	A page's next / prev links target neighboring pages, not the page itself	All paginated pages have valid next / prev targets	✓ PASS
3	Pagination link health (crawler-known statuses)46 pagination links (only crawler-visited URLs evaluated)	Pagination links resolve to 2xx / 3xx	All crawler-known pagination targets are 2xx/3xx	✓ PASS

TS-AUTHZ — Authorization Boundary

#	Test Step	Expected Result	Actual Result	Status
1	Authorization gate on /adminhttps://vercel.com/admin	Admin page is not publicly accessible.	HTTP 200 but body does not look like an admin page (likely a soft-404)	✓ PASS
2	Verify the /admin/ path is protected	Accessing /admin/ without authentication should block the request with a redirect or error response, not display admin content.	The request returned HTTP 308 (redirect to itself), which may indicate incomplete protection.	■ UX
3	Authorization gate on /admin.phphttps://vercel.com/admin.php	Admin page is not publicly accessible.	HTTP 307 → /auth-redirect/admin.php (login redirect)	✓ PASS
4	Authorization gate on /administratorhttps://vercel.com/administrator	Admin page is not publicly accessible.	HTTP 307 → /auth-redirect/administrator (login redirect)	✓ PASS
5	Authorization gate on /dashboardhttps://vercel.com/dashboard	Admin page is not publicly accessible.	HTTP 307 → /auth-redirect/dashboard (login redirect)	✓ PASS
6	Verify the /dashboard/ path is protected	Accessing /dashboard/ without authentication should block the request with a redirect or error response, not display dashboard content.	The request returned HTTP 308 (redirect to itself), which may indicate incomplete protection.	■ UX
7	Authorization gate on /wp-adminhttps://vercel.com/wp-admin	Admin page is not publicly accessible.	HTTP 307 → /auth-redirect/wp-admin (login redirect)	✓ PASS
8	Authorization gate on /api/adminhttps://vercel.com/api/admin	Admin page is not publicly accessible.	HTTP 404 (path does not exist)	✓ PASS
9	Authorization gate on /api/usershttps://vercel.com/api/users	Admin page is not publicly accessible.	HTTP 404 (path does not exist)	✓ PASS

TS-RATELIMIT — Rate Limit & Duplicate Submit

#	Test Step	Expected Result	Actual Result	Status
1	Check if mutating forms declare idempotency tokens	Forms that modify data should include a token the server can use to prevent duplicate submissions if a form is submitted twice.	No mutating forms were discovered on the site, so this check does not apply.	⊘ BLOCKED
2	Verify the homepage enforces rate limits under burst requests	When the site is accessed repeatedly in quick succession, the server should signal rate limits via HTTP 429 responses or rate-limit headers.	All 20 requests in the burst test returned no rate-limit signals, suggesting rate limiting may not be enforced.	■ UX
3	Check the login endpoint for rate-limit headers	The login endpoint should advertise rate limits via headers so clients know to back off after too many attempts.	No login form was discovered on the site, so this check does not apply.	⊘ BLOCKED

TS-SEO — SEO & Discoverability

#	Test Step	Expected Result	Actual Result	Status
1	Page `<title>` presentinspected 15 pages	Every page declares a non-empty `<title>` element	All pages declare a `<title>`	✓ PASS
2	Verify page titles are 10–60 characters	Page titles should be between 10 and 60 characters to be fully visible in search results and browser tabs.	5 of 15 page titles are out of the recommended range (2 are too long, 3 are too short).	✗ FAIL
3	Meta description presentinspected 15 pages	Every page declares a `<meta name="description">` tag	All pages declare a meta description	✓ PASS
4	Verify meta descriptions are 50–160 characters	Meta descriptions should be 50–160 characters to be fully visible in search results.	2 of 15 meta descriptions are outside the recommended range.	■ UX
5	Canonical URL declaredinspected 15 pages	Every page declares `<link rel="canonical" href="...">`	All pages declare a canonical URL	✓ PASS
6	Open Graph `og:title` presentinspected 15 pages	Every page declares `<meta property="og:title">`	All pages declare `og:title`	✓ PASS
7	Open Graph `og:description` presentinspected 15 pages	Every page declares `<meta property="og:description">`	All pages declare `og:description`	✓ PASS
8	Verify Open Graph image tag is present	Every page should declare an Open Graph image (og:image) so social media sites display a preview when the page is shared.	1 of 15 pages is missing the og:image tag.	■ UX
9	Page declares at least one `<h1>`inspected 15 pages	Every page has exactly one `<h1>` (primary page title)	Every page declares at least one `<h1>`	✓ PASS
10	robots.txt exists/robots.txt	GET `/robots.txt` returns 2xx	HTTP 200	✓ PASS
11	robots.txt references a Sitemapscanned response body	robots.txt body contains a `Sitemap:` directive	`Sitemap:` directive present	✓ PASS
12	sitemap.xml exists/sitemap.xml	GET `/sitemap.xml` returns 2xx	HTTP 200	✓ PASS
13	sitemap.xml is valid XMLchecked for <urlset> / <sitemapindex> root	Response body parses as `<urlset>` or `<sitemapindex>`	valid sitemap structure	✓ PASS

TS-SSL — SSL / TLS & Server Headers

#	Test Step	Expected Result	Actual Result	Status
1	HTTPS homepage reachablehttps://vercel.com	HEAD https:// returns 2xx or 3xx	HTTP 200	✓ PASS
2	TLS certificate expiryCN=vercel.com	Certificate valid for at least 30 more days	87 days remaining (valid_to Aug 17 21:36:15 2026 GMT)	✓ PASS
3	HTTP → HTTPS redirecthttp://vercel.com	Plain HTTP serves a 301 / 302 / 307 / 308 to https://	HTTP 308 → https://vercel.com/	✓ PASS
4	Verify server software version is not disclosed	Server headers should not reveal the software name or version, as this information can help attackers identify vulnerabilities.	The X-Powered-By header reveals 'Next.js, Payload', exposing the technology stack.	■ UX

TS-REDIRECT — Redirect Configuration

#	Test Step	Expected Result	Actual Result	Status
1	HTTP → HTTPS redirect chainstart http://vercel.com/	1–2 hops landing on the matching https://<host>/ URL	1 hop → https://vercel.com/ (HTTP 200)	✓ PASS
2	www / apex canonicalizationcompared www.vercel.com ↔ vercel.com	Both entrances land on the same canonical host	www → vercel.com, apex → vercel.com.	✓ PASS

TS-META — Meta Tags & PWA Essentials

#	Test Step	Expected Result	Actual Result	Status
1	Verify favicon is declared	The page head should include a link tag for the favicon so browsers display an icon in the tab.	The favicon link tag was not found in the homepage HTML.	■ UX
2	Apple touch iconhomepage HTML scan	`<link rel="apple-touch-icon">` declared in the page head.	tag present in homepage HTML	✓ PASS
3	Structured data (JSON-LD)homepage HTML scan	At least one `<script type="application/ld+json">` block declaring relevant schema.org types.	tag present in homepage HTML	✓ PASS
4	Charset declarationhomepage HTML scan	`<meta charset="utf-8">` declared at the top of `<head>`.	tag present in homepage HTML	✓ PASS
5	Web app manifesthomepage declares <link rel="manifest">	Either `<link rel="manifest">` referenced (and 2xx) OR `/manifest.json` / `/site.webmanifest` reachable	HTTP 200 from /manifest.webmanifest	✓ PASS

TS-IMG — Image Optimization

#	Test Step	Expected Result	Actual Result	Status
1	Lazy-loading attribute usageparsed 20 <img> tags on homepage	≥25% of homepage <img> tags declare loading="lazy"	8 of 20 tags use loading="lazy" (40%)	✓ PASS
2	Image payload sizeHEAD-checked 20 of 244 unique image srcs	Each image transfers ≤ 500 KB	All 20 probed images ≤ 500 KB (or Content-Length unavailable)	✓ PASS
3	Modern image formats (WebP / AVIF)Content-Type inspection across 20 HEAD responses	At least some image responses use modern formats (image/webp or image/avif)	0 legacy (jpg/png), 0 modern (webp/avif).	✓ PASS

TS-CONSOLE — Console Errors

#	Test Step	Expected Result	Actual Result	Status
1	Verify no JavaScript console errors appear	The page should not emit any JavaScript errors to the browser console.	59 errors across 5 distinct patterns were logged on 14 pages, indicating JavaScript issues.	■ UX
2	Check for 'Failed to load resource' errors	Resources should load successfully without emitting console errors.	A resource returned HTTP 403, failing to load and emitting a console error.	✗ FAIL
3	Check for Cross-Origin Resource Sharing (CORS) fetch errors	Cross-origin requests should not be blocked by CORS policy.	A fetch request to 'https://ai-sdk.dev/' was blocked by CORS policy or a redirect error.	✗ FAIL
4	Check for network errors loading resources	All resources should load without network errors.	A resource failed to load with a network error.	✗ FAIL
5	Check for Content Security Policy font-loading violations	Fonts should load without violating the Content Security Policy.	A font from 'https://k2mkucxia43oc7fa.public.blob.vercel-storage.com/front/fonts/space-mono/sp…' was blocked by the CSP directive.	■ UX
6	Check for Content Security Policy connection violations	JavaScript connections should not be blocked by the Content Security Policy.	A connection to 'https://ai-sdk.dev/' was blocked by the CSP directive.	■ UX

TS-EXTLINKS — External Link Health

#	Test Step	Expected Result	Actual Result	Status
1	Check external link https://v0.app/"v0Build applications with AI"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
2	Check external link https://community.vercel.com/"CommunityJoin the conversation"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
3	Check external link https://nuxt.com/"NuxtThe progressive web framework"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
4	Check external link https://svelte.dev/"SvelteThe web’s efficient UI framework"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
5	Check external link https://ai-sdk.dev/"AI SDK"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
6	Check external link https://workflow-sdk.dev/"Workflow SDKNew"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
7	Check external link https://flags-sdk.dev/"Flags SDK"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
8	Check external link https://chat-sdk.dev/"Chat SDK"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
9	Check external link https://streamdown.ai/"Streamdown AINew"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
10	Check external link https://github.com/vercel"GitHub"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
11	Check external link https://linkedin.com/company/vercel"LinkedIn"	External link is reachable.	Link redirects (HTTP 301).	✓ PASS
12	Verify external link https://x.com/vercel is reachable	The external link should be accessible or return a valid response code.	The link returned HTTP 403 (Forbidden) in 0.12 seconds, indicating access restrictions.	■ UX
13	Check external link https://youtube.com/@VercelHQ"YouTube"	External link is reachable.	Link redirects (HTTP 301).	✓ PASS
14	Check external link https://vercel-status.com/"All systems normal."	External link is reachable.	Link redirects (HTTP 301).	✓ PASS
15	Check external link https://ai-sdk.dev/getting-started"AI SDK documentation"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
16	Check external link https://vercel.com/ossreferenced from https://vercel.com/ai-sdk	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
17	Check external link https://vercel.com/ai-gateway"AI GatewayGateway"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
18	Check external link https://github.com/vercel/ai"GitHub"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
19	Verify external link https://github.com/vercel/ai/discussions is reachable	The external link should be accessible or return a valid response code.	The link returned HTTP 404 (Not Found) in 0.24 seconds, indicating the page no longer exists.	✗ FAIL
20	Check external link https://vercel.com/contact"Contact"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
21	Check external link https://vercel.com/ai-gateway/models"supported LLM models"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
22	Check external link https://vercel.com/sandboxreferenced from https://vercel.com/ai-sdk	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
23	Check external link https://vercel.com/workflowreferenced from https://vercel.com/ai-sdk	External link is reachable.	Link redirects (HTTP 308).	✓ PASS
24	Check external link https://elements.ai-sdk.dev/referenced from https://vercel.com/ai-sdk	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
25	Check external link https://vercel.com/templates"Templates"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
26	Check external link https://vercel.com/docs/frameworks"Supported frameworks"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
27	Check external link https://vercel.com/marketplace"Marketplace"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
28	Check external link https://vercel.com/domains"Domains"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
29	Check external link https://vercel.com/frameworks/nextjs"Next.js on Vercel"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
30	Check external link https://vercel.com/solutions/turborepo"Turborepo"	External link is reachable.	Link resolves correctly (HTTP 200).	✓ PASS
31	External links beyond initial sample not checked	A representative sample of external links is tested; remaining links deferred due to probe limits.	More than 50 external links were not probed due to the automation limit.	■ UX

TS-OPENREDIR — Open Redirect Surface

#	Test Step	Expected Result	Actual Result	Status
1	?redirect=<external> redirect handlinghttps://vercel.com/?redirect=https%3A%2F%2Fevil.example%2Fphishing-test	Server ignores or strips off-origin redirect targets	HTTP 200 (no Location)	✓ PASS
2	?next=<external> redirect handlinghttps://vercel.com/?next=https%3A%2F%2Fevil.example%2Fphishing-test	Server ignores or strips off-origin redirect targets	HTTP 200 (no Location)	✓ PASS
3	?url=<external> redirect handlinghttps://vercel.com/?url=https%3A%2F%2Fevil.example%2Fphishing-test	Server ignores or strips off-origin redirect targets	HTTP 200 (no Location)	✓ PASS
4	?return=<external> redirect handlinghttps://vercel.com/?return=https%3A%2F%2Fevil.example%2Fphishing-test	Server ignores or strips off-origin redirect targets	HTTP 200 (no Location)	✓ PASS
5	?returnUrl=<external> redirect handlinghttps://vercel.com/?returnUrl=https%3A%2F%2Fevil.example%2Fphishing-test	Server ignores or strips off-origin redirect targets	HTTP 200 (no Location)	✓ PASS

TS-AUTH — Authentication Form Structure

#	Test Step	Expected Result	Actual Result	Status
1	Verify a login form is discoverable	The site should have at least one login form so user authentication can be tested.	No login form was found on any crawled page.	⊘ BLOCKED

TS-API — API Responses

#	Test Step	Expected Result	Actual Result	Status
1	API responses return 2xx/3xx68 XHR/fetch responses on https://vercel.com/	All API responses return 2xx / 3xx	All 68 responses 2xx/3xx	✓ PASS
2	API responses under 2s68 XHR/fetch responses	Every API response completes in ≤ 2000 ms	All responses under threshold	✓ PASS
3	Check API responses declare a `Content-Type` header68 XHR/fetch responses	Every API response sets a `Content-Type` header	All responses declare a Content-Type	✓ PASS
4	API response bodies do not expose stack traces68 XHR/fetch responses	Response bodies never contain server stack traces / debug error details	No stack traces detected in response bodies	✓ PASS

TS-ERR — Error Page & 404 Handling

#	Test Step	Expected Result	Actual Result	Status
1	Verify /xyz returns a 404 error page	Requesting a non-existent path should return an HTTP 4xx error with a branded error page that matches the site design.	The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page.	✗ FAIL
2	Verify /__qa_explorer_404_probe_* returns a 404 error page	Requesting a non-existent path should return an HTTP 4xx error with a branded error page that matches the site design.	The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page.	✗ FAIL
3	Verify /page-not-found?q=<payload> returns a 404 error page	Requesting a non-existent path should return an HTTP 4xx error with a branded error page that matches the site design.	The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page. Response time was 0.31 s.	✗ FAIL
4	Verify /aaaa… (500-char repeat) returns a 404 error page	Requesting a path with an extremely long URL should return an HTTP 4xx error with a branded error page that matches the site design.	The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page.	✗ FAIL
5	Verify /test'<sql-payload> returns a 404 error page	Requesting a path with SQL injection patterns should return an HTTP 4xx error with a branded error page that matches the site design.	The path returned HTTP 200 (success) instead of an error, and the page is not branded as an error page.	✗ FAIL

TS-CTA — Primary CTA Tests

#	Test Step	Expected Result	Actual Result	Status
1	Click link "Log In" → /loginclick navigates to destination	CTA produces a navigation, modal, or DOM update	Navigated to https://vercel.com/login (HTTP 200)	✓ PASS
2	Click the 'Sign Up' link to navigate to /signup	The link should be clickable and the page should navigate to the sign-up page.	The click action timed out after 3 seconds, indicating the link was not responsive or not in the expected location.	⊘ BLOCKED
3	Click link "Learn more" → /fluidclick navigates to destination	CTA produces a navigation, modal, or DOM update	Navigated to https://vercel.com/fluid	✓ PASS
4	Click link "Get Started" → /dclick navigates to destination	CTA produces a navigation, modal, or DOM update	Navigated to https://vercel.com/login?next=%2Fd%3Fto%3D%252F%255Bteam%255D%252F%257E%252Fsan… (HTTP 200)	✓ PASS
5	Click link "Get Started" → /dclick navigates to destination	CTA produces a navigation, modal, or DOM update	Navigated to https://vercel.com/login?next=%2Fd%3Fto%3D%252F%255Bteam%255D%252F%257E%252Fver… (HTTP 200)	✓ PASS
6	Click the 'Sign in with Vercel' button	The button should be clickable and present in the page.	The button is no longer in the DOM, likely because it was rendered after the initial page load by client-side JavaScript.	⊘ BLOCKED
7	Click the 'Get Started' link to navigate to /docs	Clicking the link should not produce any JavaScript errors.	A 'Failed to fetch' error was thrown when the link was clicked.	✗ FAIL
8	Click link "Contact sales" → /contact/salesclick navigates to destination	CTA produces a navigation, modal, or DOM update	Navigated to https://vercel.com/contact/sales	✓ PASS
9	Click link "Learn More" → /docs/vercel-firewallclick navigates to destination	CTA produces a navigation, modal, or DOM update	Navigated to https://vercel.com/docs/vercel-firewall (HTTP 200)	✓ PASS
10	Click link "Learn more" → /botidclick navigates to destination	CTA produces a navigation, modal, or DOM update	Navigated to https://vercel.com/docs/vercel-firewall (HTTP 200)	✓ PASS

TS-SEARCH — Search Behavior

#	Test Step	Expected Result	Actual Result	Status
1	Verify a search form is discoverable	The site should have at least one search form so search functionality can be tested.	No search form was found on any crawled page.	⊘ BLOCKED

TS-ERROR — Error & Resilience Handling

#	Test Step	Expected Result	Actual Result	Status
1	Verify a service worker is registered	Optionally, a registered service worker enables offline browsing, push notifications, and background synchronization.	No service worker was registered on the sample page.	■ UX
2	Verify the page displays gracefully when offline	When the browser is offline, the page should show a branded offline message or cached content instead of a generic browser error.	The page failed to load offline, showing a generic 'net::ERR_INTERNET_DISCONNECTED' error rather than a graceful offline state.	✗ FAIL
3	Verify a loading indicator appears during slow navigation	While the page is loading, a spinner or loading message should be visible to reassure the user that content is on the way.	No loading spinner or progress indicator was detected during slow navigation.	■ UX

TS-PERF — Performance & Core Web Vitals

#	Test Step	Expected Result	Actual Result	Status
1	FCP · /	≤1.8s good · ≤3.0s needs improvement	0.23s	✓ PASS
2	LCP · /	≤2.5s good · ≤4.0s needs improvement	0.23s	✓ PASS
3	CLS · /	≤0.1 good · ≤0.25 needs improvement	0.000	✓ PASS
4	Measure DOM complexity on the homepage	The homepage should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.	The homepage contains 3195 DOM elements, exceeding the recommended limit.	✗ FAIL
5	Measure page weight on the homepage	The homepage should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.	The homepage weighs 3.70 MB, exceeding the good threshold.	■ UX
6	FCP · /ai-gateway	≤1.8s good · ≤3.0s needs improvement	0.31s	✓ PASS
7	LCP · /ai-gateway	≤2.5s good · ≤4.0s needs improvement	0.31s	✓ PASS
8	CLS · /ai-gateway	≤0.1 good · ≤0.25 needs improvement	0.000	✓ PASS
9	Measure DOM complexity on /ai-gateway	The page should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.	The page contains 2539 DOM elements, which is within acceptable range but toward the higher end.	■ UX
10	Measure page weight on /ai-gateway	The page should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.	The page weighs 4.21 MB, exceeding the good threshold but within acceptable range.	■ UX
11	FCP · /products/previews	≤1.8s good · ≤3.0s needs improvement	0.24s	✓ PASS
12	LCP · /products/previews	≤2.5s good · ≤4.0s needs improvement	0.24s	✓ PASS
13	CLS · /products/previews	≤0.1 good · ≤0.25 needs improvement	0.000	✓ PASS
14	Measure DOM complexity on /products/previews	The page should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.	The page contains 2416 DOM elements, which is acceptable but on the higher side.	■ UX
15	Measure page weight on /products/previews	The page should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.	The page weighs 3.79 MB, exceeding the good threshold.	■ UX
16	FCP · /products/observability	≤1.8s good · ≤3.0s needs improvement	0.23s	✓ PASS
17	LCP · /products/observability	≤2.5s good · ≤4.0s needs improvement	0.23s	✓ PASS
18	CLS · /products/observability	≤0.1 good · ≤0.25 needs improvement	0.000	✓ PASS
19	Measure DOM complexity on /products/observability	The page should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.	The page contains 3479 DOM elements, exceeding the acceptable limit.	✗ FAIL
20	Measure page weight on /products/observability	The page should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.	The page weighs 3.93 MB, exceeding the good threshold.	■ UX
21	FCP · /botid	≤1.8s good · ≤3.0s needs improvement	0.22s	✓ PASS
22	LCP · /botid	≤2.5s good · ≤4.0s needs improvement	0.22s	✓ PASS
23	CLS · /botid	≤0.1 good · ≤0.25 needs improvement	0.000	✓ PASS
24	Measure DOM complexity on /botid	The page should contain no more than 1500 DOM elements (good) or 3000 (needs improvement) for optimal performance.	The page contains 2280 DOM elements, which is acceptable.	■ UX
25	Measure page weight on /botid	The page should weigh no more than 3 MB (good) or 5 MB (needs improvement) for fast loading.	The page weighs 3.76 MB, exceeding the good threshold.	■ UX

TS-RESPONSIVE — Responsive Layout Checks

#	Test Step	Expected Result	Actual Result	Status
1	Test homepage responsiveness on mobile (375×812)	The homepage should display without horizontal overflow, have no clipped text, and all interactive elements should be at least 44 pixels tall.	No horizontal overflow observed. However, 4 elements are clipped, and 88 of 101 touch targets are smaller than the recommended 44 pixels.	■ UX
2	Test homepage responsiveness on tablet (768×1024)	The homepage should display without horizontal overflow and have no clipped text.	No horizontal overflow observed, but 1 element is clipped.	■ UX
3	Test homepage responsiveness on desktop (1440×900)	The homepage should display without horizontal overflow and have no clipped text.	No horizontal overflow observed, but 1 element is clipped.	■ UX
4	Test /products/previews responsiveness on mobile (375×812)	The page should display without horizontal overflow, have no clipped text, and all interactive elements should be at least 44 pixels tall.	No horizontal overflow observed. However, 2 elements are clipped, and 69 of 73 touch targets are smaller than the recommended 44 pixels.	■ UX
5	Test /products/previews responsiveness on tablet (768×1024)	The page should display without horizontal overflow and have no clipped text.	No horizontal overflow observed, but 2 elements are clipped.	■ UX
6	Test /products/previews responsiveness on desktop (1440×900)	The page should display without horizontal overflow and have no clipped text.	No horizontal overflow observed, but 3 elements are clipped.	■ UX
7	Test /botid responsiveness on mobile (375×812)	The page should display without horizontal overflow, have no clipped text, and all interactive elements should be at least 44 pixels tall.	No horizontal overflow observed. However, 2 elements are clipped, and 70 of 78 touch targets are smaller than the recommended 44 pixels.	■ UX
8	Test /botid responsiveness on tablet (768×1024)	The page should display without horizontal overflow and have no clipped text.	No horizontal overflow observed, but 2 elements are clipped.	■ UX
9	Test /botid responsiveness on desktop (1440×900)	The page should display without horizontal overflow and have no clipped text.	No horizontal overflow observed, but 2 elements are clipped.	■ UX
10	Viewport meta tagcaptured once on the first sample page	`<meta name="viewport" content="width=device-width, ...">`	Present, width=device-width, initial-scale=1, maximum-scale=1.	✓ PASS

TS-STATE — State & Navigation

#	Test Step	Expected Result	Actual Result	Status
1	Deep-link navigation to inner pagehttps://vercel.com/home	Direct GET on the inner URL renders content	Loaded, HTTP 200, body length 5237.	✓ PASS
2	Browser back returns to a working previous pagehttps://vercel.com/ → https://vercel.com/home → back	Going back re-renders the previous page (no blank / error screen)	Back, HTTP 200, body length 5237.	✓ PASS
3	Page reload renders cleanlyhttps://vercel.com/home	Reload renders the page without errors	Reloaded, HTTP 200, body length 5237.	✓ PASS
4	Inner pages have unique meaningful URLsinspected first 5 inner pages	Each inner page has its own path-based URL (not just a `#` fragment on the homepage)	All 5 URLs unique	✓ PASS

TS-CONTRAST — Color Contrast (WCAG 2.1)

#	Test Step	Expected Result	Actual Result	Status
1	Measure color contrast on the homepage	All text should meet WCAG 2.1 color contrast standards (at least 4.5:1 for normal text, 3:1 for large text).	1 of 50 sampled text elements falls below the required contrast ratio.	✗ FAIL
2	Measure color contrast on /products/previews	All text should meet WCAG 2.1 color contrast standards (at least 4.5:1 for normal text, 3:1 for large text).	3 of 48 sampled text elements fall below the required contrast ratio.	✗ FAIL
3	Measure color contrast on /botid	All text should meet WCAG 2.1 color contrast standards (at least 4.5:1 for normal text, 3:1 for large text).	3 of 48 sampled text elements fall below the required contrast ratio.	✗ FAIL

4Bug Summary Matrix

A consolidated dashboard view of every unique finding from this scan. Detailed entries follow in the next section.

ID	Title	Severity	Priority	Status
BUG-001	Pre-consent cookie firing with no visible banner — GDPR/CCPA violation	Critical	P1	• New
BUG-002	Color contrast failures (site-wide)	High	P1	• New
BUG-003	59 console errors across 14 pages indicate systemic JS runtime failures	High	P1	• New
BUG-004	Client-side routing returns HTTP 200 for all unknown paths — no real 404	High	P1	• New
BUG-005	CTA click triggers a JavaScript error	High	P1	• New
BUG-006	Cookie "_v-anonymous-id-renewed" missing HttpOnly flag	High	P1	• New
BUG-007	Cookie "_v-anonymous-id" missing HttpOnly flag	High	P1	• New
BUG-008	Cookie "_v-consent" missing HttpOnly flag	High	P1	• New
BUG-009	Missing security headers inconsistent across pages — edge config gap	High	P1	• New
BUG-010	Undersized touch targets on mobile	High	P1	• New
BUG-011	Buttons without an accessible name	Medium	P2	• New
BUG-012	Links without an accessible name	Medium	P2	• New
BUG-013	Multiple `<h1>` elements on the same page	Medium	P2	• New
BUG-014	Broken and unverifiable social/external links undermine content credibility	Medium	P2	• New
BUG-015	Console error: Cross-origin fetch blocked by browser policy	Medium	P2	• New
BUG-016	Console error: Failed to load resource with HTTP error status	Medium	P2	• New
BUG-017	Console error: Network request failed (net::ERR_FAILED)	Medium	P2	• New
BUG-018	External link returns 404	Medium	P2	• New
BUG-019	No offline / cached state on sample page	Medium	P2	• New
BUG-020	Page weight and DOM size bloat across multiple product pages	Medium	P2	• New
BUG-021	CSP violations from first-party resources indicate misconfigured policy	Medium	P2	• New
BUG-022	Missing security response headers	Medium	P2	• New
BUG-023	No cookie / consent banner detected in homepage HTML	Medium	P2	• New
BUG-024	Server software disclosed via X-Powered-By header	Medium	P2	• New
BUG-025	Tracking cookies set before user consent	Medium	P2	• New
BUG-026	Images with empty `alt=""` (verify decorative intent)	Low	P3	• New
BUG-027	Skipped heading levels in page hierarchy	Low	P3	• New
BUG-028	Console error: Connection blocked by Content-Security-Policy	Low	P3	• New
BUG-029	Console error: Font blocked by Content-Security-Policy	Low	P3	• New
BUG-030	No service worker registered (no offline support)	Low	P3	• New
BUG-031	Heavy page weight	Low	P3	• New
BUG-032	Oversized DOM	Low	P3	• New
BUG-033	No rate-limit signal observed on homepage burst	Low	P3	• New
BUG-034	Content clipped at Desktop (1440px)	Low	P3	• New
BUG-035	Content clipped at Mobile (375px)	Low	P3	• New
BUG-036	Content clipped at Tablet (768px)	Low	P3	• New
BUG-037	Missing favicon link	Low	P3	• New
BUG-038	Missing SEO metadata	Low	P3	• New
BUG-039	Page title too long (longest 67 chars)	Low	P3	• New

5Detailed Bug Reports

Each finding's BUG-NNN identifier matches its row in the Bug Summary Matrix.

BUG-001 Pre-consent cookie firing with no visible banner — GDPR/CCPA violation

Critical P1 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open an incognito browser window and navigate to https://vercel.com/
Immediately open DevTools → Application → Cookies before any interaction
Observe _v-consent, _v-anonymous-id, and _v-anonymous-id-renewed already set
Confirm no cookie consent banner or modal is visible or present in the DOM

Expected Result

No non-essential cookies should be set until the user has been shown a consent banner and made an affirmative choice; the _v-consent cookie should only be written after consent is given.

Actual Result

All 3 detected cookies are set pre-consent on every page load; no consent banner pattern was found in homepage HTML, meaning users are never shown a choice.

BUG-002 Color contrast failures (site-wide)

High P1 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in DevTools → Inspect
Locate the element matching `span.px-1.h-5`
In the Styles pane, hover the computed `color` value — DevTools renders the live contrast ratio
Adjust either color (typically darkening the foreground) until the ratio clears the threshold

Expected Result

Contrast ratio should be at least 4.5:1 for normal body text (3:1 for large text 18pt+ or 14pt bold+).

Actual Result

Text "'openai/gpt-5.5'" has contrast ratio 4.13:1 (blue text on light blue background) on https://vercel.com/.

BUG-003 59 console errors across 14 pages indicate systemic JS runtime failures

High P1 • New

https://vercel.com/ (Desktop)

Steps to Reproduce

Open Chrome DevTools Console on https://vercel.com/
Set filter to 'Errors'
Reload the page without cache
Observe multiple console errors including 403 resource failures and CORS violations
Repeat on https://vercel.com/home and https://vercel.com/ai-sdk to confirm the pattern is site-wide

Expected Result

A production marketing site should have zero console errors on standard page loads; any third-party or analytics failures should be silently caught and not pollute the console.

Actual Result

59 errors across 5 patterns on 14 of 15 pages including 403 resource failures, CORS redirect blocks to ai-sdk.dev, ERR_FAILED network errors, font CSP violations, and WebSocket/connection CSP violations.

BUG-004 Client-side routing returns HTTP 200 for all unknown paths — no real 404

High P1 • New

https://vercel.com/xyz (Desktop)

Steps to Reproduce

In a browser or curl, request https://vercel.com/this-page-does-not-exist
Observe the HTTP response status is 200, not 404
Inspect the response body — it does not contain a recognizable Vercel-branded 404 error page
Repeat with https://vercel.com/aaaa (500 'a' characters) — same result

Expected Result

Requests for non-existent pages should return HTTP 404 with a branded, user-friendly error page to inform users, prevent SEO index pollution, and enable accurate uptime monitoring.

Actual Result

All 5 not-found probes returned HTTP 200 with a non-branded response body, confirming the server never signals a missing resource.

BUG-005 CTA click triggers a JavaScript error

High P1 • New

https://vercel.com/ai-sdk (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ai-sdk in a browser with DevTools → Console open
Locate the link labeled "Get Started"
Click it
Observe console error: "Failed to fetch"

Expected Result

Clicking the CTA should trigger its intended action with no JavaScript errors.

Actual Result

Clicking "Get Started" (link) on https://vercel.com/ai-sdk produced a "Failed to fetch" JavaScript error.

BUG-006 Cookie "_v-anonymous-id-renewed" missing HttpOnly flag

High P1 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

curl -I 'https://vercel.com/'
Locate the 'Set-Cookie' response header for the cookie named "_v-anonymous-id-renewed"
Confirm the HttpOnly flag is absent

Expected Result

All cookies should include the HttpOnly flag (e.g., Set-Cookie: name=value; HttpOnly; Secure; SameSite=Lax).

Actual Result

Cookie "_v-anonymous-id-renewed" observed on https://vercel.com/ is missing the HttpOnly flag in its Set-Cookie response header.

BUG-007 Cookie "_v-anonymous-id" missing HttpOnly flag

High P1 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

curl -I 'https://vercel.com/'
Locate the 'Set-Cookie' response header for the cookie named "_v-anonymous-id"
Confirm the HttpOnly flag is absent

Expected Result

All cookies should include the HttpOnly flag (e.g., Set-Cookie: name=value; HttpOnly; Secure; SameSite=Lax).

Actual Result

Cookie "_v-anonymous-id" observed on https://vercel.com/ is missing the HttpOnly flag in its Set-Cookie response header.

BUG-008 Cookie "_v-consent" missing HttpOnly flag

High P1 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

curl -I 'https://vercel.com/'
Locate the 'Set-Cookie' response header for the cookie named "_v-consent"
Confirm the HttpOnly flag is absent

Expected Result

All cookies should include the HttpOnly flag (e.g., Set-Cookie: name=value; HttpOnly; Secure; SameSite=Lax).

Actual Result

Cookie "_v-consent" observed on https://vercel.com/ is missing the HttpOnly flag in its Set-Cookie response header.

BUG-009 Missing security headers inconsistent across pages — edge config gap

High P1 • New

https://vercel.com/ (Desktop)

Steps to Reproduce

Open DevTools Network tab on https://vercel.com/
Reload the page and inspect the response headers for the document request
Note the absence of Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy
Repeat on a second internal page and compare — headers present on one, absent on another

Expected Result

All pages should consistently return the full set of recommended security response headers regardless of which origin or route serves them.

Actual Result

1 of 2 sampled pages is missing CSP, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy; Permissions-Policy is absent on all sampled pages, meaning the gap is partial and route-dependent.

BUG-010 Undersized touch targets on mobile

High P1 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in Chrome DevTools at device width 375px
Highlight each interactive element in turn and check its bounding-box dimensions
Increase padding so the bounding box is ≥ 44×44 px

Expected Result

All interactive elements should be at least 44×44 pixels at the mobile viewport.

Actual Result

88 of 101 interactive elements are below 44px on mobile (375×812). Examples: menu button (90×18px), toggle button (32×32px).

BUG-011 Buttons without an accessible name

Medium P2 • New

https://vercel.com/ai-sdk (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ai-sdk in DevTools → Elements tab
Run `[...document.querySelectorAll('button')].filter(b => !b.innerText.trim() && !b.getAttribute('aria-label'))` in Console
Add an `aria-label` describing the action to each match

Expected Result

Each button must have a visible label or an `aria-label` attribute (e.g., `<button aria-label="Close">×</button>`).

Actual Result

17 of 273 buttons have neither visible text nor aria-label across 2 crawled pages.

BUG-012 Links without an accessible name

Medium P2 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in DevTools → Elements tab
Run `[...document.querySelectorAll('a[href]')].filter(a => !a.innerText.trim() && !a.getAttribute('aria-label') && !a.querySelector('img[alt]'))` in Console
Add visible text, `aria-label`, or an inner `<img alt>` to each match

Expected Result

Each link must have a visible label, an `aria-label`, or an image with alt text describing the destination.

Actual Result

34 of 1787 links lack an accessible name across 15 crawled pages.

BUG-013 Multiple `<h1>` elements on the same page

Medium P2 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in DevTools → Elements tab
Search the DOM for `h1` elements
Confirm 2 <h1> elements are present
Promote one as the page title; demote the rest to <h2>

Expected Result

Exactly one `<h1>` element per page.

Actual Result

3 of 15 crawled pages contain multiple <h1> elements (for example, 2 on https://vercel.com/).

BUG-014 Broken and unverifiable social/external links undermine content credibility

Medium P2 • New

https://vercel.com/ai-sdk (Desktop)

Steps to Reproduce

Navigate to https://vercel.com/ai-sdk
Find and click the GitHub Discussions community link
Observe the GitHub 404 page
Separately, attempt to visit https://x.com/vercel — observe access restriction

Expected Result

All externally linked URLs on product pages should resolve successfully; community and documentation links are especially critical on developer-focused pages.

Actual Result

https://github.com/vercel/ai/discussions returns HTTP 404; https://x.com/vercel returns HTTP 403; the GitHub link is a hard failure on the AI SDK product page.

BUG-015 Console error: Cross-origin fetch blocked by browser policy

Medium P2 • New

https://vercel.com/home (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/home in Chrome DevTools → Console
Reload the page with the console open
Locate the matching error entry and follow the stack trace into the source
Fix the failing call or guard against the input that triggered it

Expected Result

Cross-origin requests should be explicitly permitted via CORS headers or use same-origin requests.

Actual Result

13 instances of blocked fetch requests (attempting to reach 'https://ai-sdk.dev/' from 'https://vercel.com/...') across 13 pages.

BUG-016 Console error: Failed to load resource with HTTP error status

Medium P2 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in Chrome DevTools → Console
Reload the page with the console open
Locate the matching error entry and follow the stack trace into the source
Fix the failing call or guard against the input that triggered it

Expected Result

All referenced resources should load successfully (HTTP 2xx or valid 3xx redirects).

Actual Result

28 instances of "Failed to load resource: the server responded with a status of 403" across 14 pages. First observed on https://vercel.com/.

BUG-017 Console error: Network request failed (net::ERR_FAILED)

Medium P2 • New

https://vercel.com/home (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/home in Chrome DevTools → Console
Reload the page with the console open
Locate the matching error entry and follow the stack trace into the source
Fix the failing call or guard against the input that triggered it

Expected Result

All network requests should complete successfully.

Actual Result

13 instances of "Failed to load resource: net::ERR_FAILED" across 13 pages. First observed on https://vercel.com/home.

BUG-018 External link returns 404

Medium P2 • New

https://vercel.com/ai-sdk (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ai-sdk in a browser
Click the link to https://github.com/vercel/ai/discussions
Observe HTTP 404
Update the link target or remove the reference

Expected Result

Outbound links should point to pages that exist and respond with HTTP 2xx (or valid 3xx redirects).

Actual Result

https://github.com/vercel/ai/discussions returned HTTP 404.

BUG-019 No offline / cached state on sample page

Medium P2 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/
Open DevTools → Network → toggle 'Offline'
Reload and observe what the user sees
Implement a service worker that caches the shell, or render an offline fallback page

Expected Result

Offline navigation should display either a cached version of the page or a branded offline message.

Actual Result

Offline navigation to https://vercel.com/ resulted in a browser error: net::ERR_INTERNET_DISCONNECTED.

BUG-020 Page weight and DOM size bloat across multiple product pages

Medium P2 • New

https://vercel.com/ai-gateway (Desktop)

Steps to Reproduce

Open Chrome DevTools → Network tab, disable cache, and navigate to https://vercel.com/ai-gateway
Check the total transferred size in the Network summary bar — observe ~4.21 MB
Open DevTools Console and run: document.querySelectorAll('*').length — observe ~2539
Repeat on https://vercel.com/products/previews and https://vercel.com/

Expected Result

Pages should transfer under 1.5 MB and maintain fewer than 1500 DOM nodes to meet Google's Lighthouse performance budgets and ensure fast Time to Interactive on mid-range devices.

Actual Result

/ai-gateway transfers 4.21 MB with 2539 DOM nodes; /products/previews transfers 3.79 MB with 2416 DOM nodes; the homepage DOM alone has 3195 nodes, all flagged as exceeding thresholds.

BUG-021 CSP violations from first-party resources indicate misconfigured policy

Medium P2 • New

https://vercel.com/home (Desktop)

Steps to Reproduce

Open DevTools Console on https://vercel.com/home
Observe CSP violation errors referencing https://k2mkucxia43oc7fa.public.blob.vercel-storage.com and https://ai-sdk.dev/
Cross-reference with the Network tab to confirm those resources fail to load
Note that on other pages the CSP header is entirely absent, creating an inconsistent policy surface

Expected Result

A correctly configured CSP should allow all legitimate first-party fonts and known third-party API connections while blocking unknown origins; no first-party resources should be CSP-blocked in production.

Actual Result

Console shows 'Loading the font violates the following Content Security Policy directive' for a Vercel blob storage URL, and 'Connecting to https://ai-sdk.dev/ violates the following Content Security Policy directive', causing resource load failures on production pages.

BUG-022 Missing security response headers

Medium P2 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

curl -I 'https://vercel.com/'
Inspect the response headers — 'Content-Security-Policy' should be present
(Most security headers are configured at the web-server or CDN layer; check the deployment platform's docs.)

Expected Result

Every page response should include a Content-Security-Policy header that restricts script sources.

Actual Result

Content-Security-Policy header is not present on responses from this site (1 of 2 pages sampled).

BUG-023 No cookie / consent banner detected in homepage HTML

Medium P2 • New

https://vercel.com (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in a private window (no prior session)
Verify whether a consent banner appears
If only after-JS, consider server-side rendering it so static crawlers / accessibility tools see it

Expected Result

A cookie / consent banner should be visible in the initial page HTML or appear immediately on load.

Actual Result

Homepage HTML response did not contain any of the standard consent-banner selectors (e.g., `.cookie-banner`, `.cookie-consent`).

BUG-024 Server software disclosed via X-Powered-By header

Medium P2 • New

https://vercel.com (Desktop + Mobile)

Steps to Reproduce

curl -I 'https://vercel.com/'
Confirm the X-Powered-By response header is present and discloses the software
Configure the server / reverse proxy to remove or anonymize the header

Expected Result

The `X-Powered-By` header should be absent or contain no version or framework identifiers.

Actual Result

X-Powered-By header reveals: Next.js, Payload

BUG-025 Tracking cookies set before user consent

Medium P2 • New

https://vercel.com (Desktop + Mobile)

Steps to Reproduce

curl -I 'https://vercel.com/'
Inspect the `Set-Cookie` response headers
Cross-check each cookie name against the strict-necessary list
Move tracking cookies behind a consent gate (or implement one)

Expected Result

Tracking and analytics cookies should only be set after the user accepts them in a consent banner.

Actual Result

3 cookies set on first load (names: _v-consent, _v-anonymous-id, _v-anonymous-id-renewed) before user consent.

BUG-026 Images with empty `alt=""` (verify decorative intent)

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in DevTools → Elements tab
Run `[...document.querySelectorAll('img[alt=""]')]` in Console
Review each — replace empty alt with descriptive text on non-decorative images

Expected Result

Empty alt text only on images that are purely decorative or redundant.

Actual Result

143 of 452 images use empty alt text across 15 crawled pages. Review each to confirm it is decorative.

BUG-027 Skipped heading levels in page hierarchy

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in DevTools
Run `[...document.querySelectorAll('h1,h2,h3,h4,h5,h6')].map(h => h.tagName)` in Console
Confirm at least one adjacent pair skips a level (e.g. H1 followed by H3)
Rebalance: demote skipped levels or insert the missing intermediate heading

Expected Result

Heading levels should descend without gaps (e.g., h1, h2, h3 in order).

Actual Result

8 of 15 crawled pages skip at least one heading level in their hierarchy.

BUG-028 Console error: Connection blocked by Content-Security-Policy

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in Chrome DevTools → Console
Reload the page with the console open
Locate the matching error entry and follow the stack trace into the source
Fix the failing call or guard against the input that triggered it

Expected Result

Required external domains should be listed in the CSP's `connect-src` directive.

Actual Result

1 instance of a blocked connection to 'https://ai-sdk.dev/' due to CSP restrictions (https://vercel.com/).

BUG-029 Console error: Font blocked by Content-Security-Policy

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in Chrome DevTools → Console
Reload the page with the console open
Locate the matching error entry and follow the stack trace into the source
Fix the failing call or guard against the input that triggered it

Expected Result

Font sources should be permitted in the CSP, or fonts should be self-hosted.

Actual Result

4 instances of font-loading failures due to CSP violations across 1 page (https://vercel.com/).

BUG-030 No service worker registered (no offline support)

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ → DevTools → Application → Service workers
Confirm no service worker is registered
(Optional) Register a service worker to enable offline caching and faster repeat loads

Expected Result

A service worker should be registered to cache content and enable offline access.

Actual Result

No service worker registrations detected on https://vercel.com/.

BUG-031 Heavy page weight

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in Chrome DevTools → Lighthouse → Performance
Run an audit and confirm the Weight metric exceeds the "good" threshold
Compare against ≤3 MB good · ≤5 MB needs improvement thresholds (Google Core Web Vitals)

Expected Result

Page weight should not exceed 3 MB (5 MB is considered a hard fail).

Actual Result

https://vercel.com/ requires 3.70 MB of data to load (verdict: UX concern).

BUG-032 Oversized DOM

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in Chrome DevTools → Lighthouse → Performance
Run an audit and confirm the DOM metric exceeds the "good" threshold
Compare against ≤1500 elements good · ≤3000 needs improvement thresholds (Google Core Web Vitals)

Expected Result

DOM size should not exceed 1,500 elements (up to 3,000 is acceptable with mitigation).

Actual Result

https://vercel.com/ contains 3,195 DOM elements.

BUG-033 No rate-limit signal observed on homepage burst

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Fire 20 parallel GET https://vercel.com/
Inspect each response status + headers for 429 / X-RateLimit-* / Retry-After
Add rate limiting at the CDN / edge / framework layer

Expected Result

Server should return HTTP 429 (Too Many Requests) or `X-RateLimit-*` / `Retry-After` headers when request rates are exceeded.

Actual Result

20 parallel requests to the homepage all succeeded with no rate-limit signal.

BUG-034 Content clipped at Desktop (1440px)

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ and resize the browser to 1440×900
Inspect the first offender element and verify its computed `overflow` is `hidden`
Compare `scrollWidth` vs `clientWidth` in DevTools → Properties tab
Replace `overflow: hidden` with a wrapping rule, or add `text-overflow: ellipsis`

Expected Result

Text should fit the visible area or be truncated with `text-overflow: ellipsis`.

Actual Result

1 element clips content on desktop (1440px width): grid block (359px → 359px).

BUG-035 Content clipped at Mobile (375px)

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ and resize the browser to 375×812
Inspect the first offender element and verify its computed `overflow` is `hidden`
Compare `scrollWidth` vs `clientWidth` in DevTools → Properties tab
Replace `overflow: hidden` with a wrapping rule, or add `text-overflow: ellipsis`

Expected Result

Text should fit the visible area or be truncated with `text-overflow: ellipsis`.

Actual Result

4 elements clip content on mobile (375px width). Examples: hero grid wrapper (342px → 469px), grid block (341px), screen-reader-only region (293px → 499px).

BUG-036 Content clipped at Tablet (768px)

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ and resize the browser to 768×1024
Inspect the first offender element and verify its computed `overflow` is `hidden`
Compare `scrollWidth` vs `clientWidth` in DevTools → Properties tab
Replace `overflow: hidden` with a wrapping rule, or add `text-overflow: ellipsis`

Expected Result

Text should fit the visible area or be truncated with `text-overflow: ellipsis`.

Actual Result

1 element clips content on tablet (768px width): grid block (367px → 367px).

BUG-037 Missing favicon link

Low P3 • New

https://vercel.com (Desktop + Mobile)

Steps to Reproduce

curl -s 'https://vercel.com/' | grep -iE 'rel="(icon|shortcut icon)"'
Confirm no matching tag is present
Add the missing tag inside `<head>`

Expected Result

`<link rel="icon">` should be declared in the page's `<head>` section.

Actual Result

Homepage HTML for https://vercel.com/ does not include a favicon link tag.

BUG-038 Missing SEO metadata

Low P3 • New

https://vercel.com/sandbox (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/sandbox → View source
Locate `<meta name="description" content="...">`
Rewrite content to fit 50–160 characters

Expected Result

Meta description should be 50–160 characters.

Actual Result

2 of 15 page descriptions are outside the 50–160 character range.

BUG-039 Page title too long (longest 67 chars)

Low P3 • New

https://vercel.com/ (Desktop + Mobile)

Steps to Reproduce

Open https://vercel.com/ in DevTools → Elements
Inspect the `<title>` element
Confirm the text is 67 characters (target 10–60)
Rewrite the title to fit the 10–60 character window

Expected Result

Page title length should be between 10 and 60 characters.

Actual Result

5 of 15 pages have titles out of range (2 too long, 3 too short). The longest is https://vercel.com/ at 67 characters.

6Highest-Priority Findings

Auto-generated from severity ranking. Manual review recommended.

The top critical and high-severity findings, in priority order. See the Detailed Bug Reports section for full reproduction steps.

BUG-001 — Pre-consent cookie firing with no visible banner — GDPR/CCPA violation
BUG-002 — Color contrast failures (site-wide)
BUG-003 — 59 console errors across 14 pages indicate systemic JS runtime failures
BUG-004 — Client-side routing returns HTTP 200 for all unknown paths — no real 404
BUG-005 — CTA click triggers a JavaScript error
BUG-006 — Cookie "_v-anonymous-id-renewed" missing HttpOnly flag
BUG-007 — Cookie "_v-anonymous-id" missing HttpOnly flag

7Recommended Fix Order

Auto-generated from severity ranking. Manual review recommended.

Suggested remediation order. Engineering should validate the sequence against business priorities and dependency relationships before scheduling.

1Remove or gate all tracking cookies (_v-consent, _v-anonymous-id, _v-anonymous-id-renewed) behind explicit user consent and deploy a compliant cookie consent banner on the homepage to resolve the GDPR/CCPA violation.

2Add Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers consistently across all pages via a single edge/CDN middleware rule to close the security header gap in one change.

3Set the HttpOnly flag on all session and analytics cookies (_v-consent, _v-anonymous-id, _v-anonymous-id-renewed) to prevent JavaScript-based cookie theft.

4Fix the JavaScript fetch error on /ai-sdk that blocks the 'Get Started' CTA (pageerror: Failed to fetch) and causes the CORS redirect violation for https://ai-sdk.dev/ — investigate the cross-origin redirect and ensure the CTA navigates reliably.

5Remediate WCAG AA color contrast failures: the 1.66:1 ratio on /botid is critically low; audit and update text/background color tokens across /, /products/previews, and /botid.

6Add accessible names to all 34 unnamed links and 17 unnamed buttons — use aria-label or visible text; prioritize the 2 pages with unnamed buttons as they likely include key interactive controls.

7Fix the broken external link to https://github.com/vercel/ai/discussions (HTTP 404) on /ai-sdk — update to the current GitHub Discussions URL or remove the link.

8Resolve the multiple <h1> elements on 3 pages and fix heading-level skips on 8 pages to correct document outline structure for screen readers and SEO.

9Reduce page weight and DOM complexity on /ai-gateway (4.21 MB, 2539 elements) and /products/previews (3.79 MB, 2416 elements) through image optimization, code splitting, or lazy loading to improve Core Web Vitals.

10Remove or suppress the X-Powered-By: Next.js, Payload response header to avoid unnecessary technology fingerprinting by attackers.

8Recommended Manual Test Scenarios

Manual test scenarios recommended by the AI analyzer based on the crawled site structure. Hand this list to your QA team for execution — each scenario covers something the automation cannot verify on its own.

Happy Path (6)

TC-001 Navigate to AI Cloud product page from homepage

happy-path High

Precondition

User is on the homepage at https://vercel.com/

Steps

Click the 'AI Cloud' link in the navigation
Verify the page loads completely

Expected Result

User is redirected to https://vercel.com/ai and the page title displays 'Deploy AI at the speed of frontend'

TC-002 Access AI Gateway subproduct from AI Cloud page

happy-path High

Precondition

User is on https://vercel.com/ai

Steps

Click the 'AI Gateway' link
Wait for page to fully load

Expected Result

User navigates to https://vercel.com/ai-gateway and sees AI Gateway documentation with SDK options

TC-003 Navigate through multiple product pages using breadcrumb trail

happy-path Medium

Precondition

User is on homepage

Steps

Click 'Products' button in navigation
Click 'CI/CD' link to go to https://vercel.com/products/previews
Click 'Products' again to see options
Click 'Observability' link to go to https://vercel.com/products/observability

Expected Result

User can navigate between different product pages without errors

TC-004 Search functionality using keyboard shortcut

happy-path Medium

Precondition

User is on https://vercel.com/ai-sdk page

Steps

Press the keyboard shortcut for search (⌘K or Ctrl+K)
Verify search dialog opens

Expected Result

Search dialog appears on screen, ready for user input

TC-005 Verify sign-in button navigation

happy-path High

Precondition

User is on https://vercel.com/ai-sdk

Steps

Click 'Sign in with Vercel' button
Verify page navigates or modal opens for authentication

Expected Result

User is taken to a sign-in or authentication flow

TC-006 Test anchor link navigation within same page

happy-path Medium

Precondition

User is on https://vercel.com/ page with anchor links

Steps

Click the 'Skip to content' anchor link (https://vercel.com/#geist-skip-nav)
Verify focus moves and page scrolls to target section

Expected Result

Page scrolls smoothly to the anchor target; focus is set on the target element

Edge Cases (4)

TC-007 Test browser back button during navigation flow

edge-case Medium

Precondition

User is on https://vercel.com/

Steps

Click 'AI Cloud' link to navigate to https://vercel.com/ai
Click 'Vercel Agent' link to navigate to https://vercel.com/agent
Press browser back button
Press browser back button again

Expected Result

Each back button press returns to the previous page in history, ending at homepage

TC-008 Test rapid sequential navigation to AI product pages

edge-case Medium

Precondition

User is on https://vercel.com/

Steps

Click 'AI Cloud' link
Before page fully loads, click browser back button
Click 'AI Gateway' link
Before page fully loads, click 'Sandbox' link

Expected Result

Page requests are properly cancelled or handled; final page displays correct content without console errors

TC-009 Test navigation with very long page scroll and focus management

edge-case Medium

Precondition

User is on https://vercel.com/security or another page with extensive vertical content

Steps

Scroll to the bottom of the page
Click a link to a new page (e.g., 'Bot Management')
Verify page loads and scroll position resets

Expected Result

New page loads with scroll position at the top; no scroll position carried over from previous page

TC-010 Test special characters in navigation flow

edge-case Low

Precondition

User is on https://vercel.com/

Steps

Click multiple links with special characters in their text (e.g., 'AI SDK', 'CI/CD')
Verify each page loads correctly

Expected Result

All pages with special characters in their names load and render properly

Security (3)

TC-011 Test XSS injection in search input field

security High

Precondition

User is on https://vercel.com/ai-sdk with search dialog open

Steps

Open search dialog using ⌘K
Type payload: <script>alert('XSS')</script>
Press Enter to submit search

Expected Result

No JavaScript alert appears; payload is either sanitized or escaped in results

TC-012 Test SQL injection-shaped payload in search

security High

Precondition

User is on https://vercel.com/ai-sdk with search dialog open

Steps

Open search dialog using ⌘K
Type payload: ' OR '1'='1
Press Enter to submit search

Expected Result

Search returns normal results or error message; no database errors exposed

TC-013 Attempt to access restricted page without authentication

security High

Precondition

User is not authenticated

Steps

Navigate directly to a potentially protected URL (e.g., dashboard or admin path if one exists)
Observe response and page content

Expected Result

User is either redirected to login page or sees 'unauthorized' message; no sensitive data is exposed

UX & Responsive (5)

TC-014 Test skip-to-content navigation shortcut

ux Medium

Precondition

User is on https://vercel.com/

Steps

Press Tab key to activate the first focusable element
Verify 'Skip to content' link is visible
Click the 'Skip to content' link
Verify focus moves to main content area

Expected Result

Skip link navigates to the main content section, improving keyboard accessibility

TC-015 Verify responsive layout on mobile viewport

ux Medium

Precondition

User is on https://vercel.com/ with desktop viewport

Steps

Resize browser to mobile width (375px)
Verify navigation menu is accessible
Verify all buttons and links remain clickable
Scroll through entire page and check text readability

Expected Result

Layout adapts correctly to mobile width, all interactive elements remain functional and readable

TC-016 Verify all main navigation buttons are accessible

ux High

Precondition

User is on https://vercel.com/

Steps

Use Tab key to navigate to each top-level navigation button
Verify each button has visible focus indicator
Verify each button is keyboard-clickable with Enter key

Expected Result

All navigation buttons (Products, Resources, Solutions, Ask AI) respond to keyboard navigation and clicks

TC-017 Verify empty state handling when no search results found

ux Medium

Precondition

User is on https://vercel.com/ai-sdk with search dialog open

Steps

Open search dialog using ⌘K
Type a nonsensical search query: 'xyzabc123nonexistent'
Press Enter

Expected Result

Search displays an empty state message indicating no results found; UI remains responsive

TC-018 Verify loading state behavior during slow network conditions

ux Medium

Precondition

User is on https://vercel.com/ with network throttling enabled (slow 3G)

Steps

Click a product link to navigate to a new page
Observe the page while it is loading

Expected Result

Loading indicators or skeleton screens appear; page content renders progressively without blocking interaction

9Summary & Observations

Testing Outcome — Automated Scan

Critical and high-severity findings cluster around functional / security issues — recommend an engineering triage session before scheduling remediation.

An automated scan can only validate what it can statically observe (DOM, console, load timing). Recommend a manual review of business-critical flows (auth, payment, data submission) before sign-off.