# BeaverCheck Audit Report — https://colourpop.com **Date:** April 8, 2026 **URL:** https://colourpop.com **Overall Grade:** C (74/100) **Report:** https://beavercheck.com/results/a04f92c2-0401-426b-aae8-971f6702fd70 ## Top Findings 1. **[CRITICAL]** Cookie 'cart_currency' is missing the Secure flag — Security > Cookie Security 2. **[CRITICAL]** Cookie 'localization' is missing the Secure flag — Security > Cookie Security 3. **[CRITICAL]** Page weighs 14.1 MB (7.5 MB transferred) — Performance > Page Weight Budget 4. **[CRITICAL]** 3 control(s) without accessible label — Accessibility > Form Accessibility 5. **[CRITICAL]** 6 link(s) with no accessible text — Accessibility > Link & Button Quality --- ## Lighthouse Scores | Category | Score | |----------|-------| | Performance | 23 | | Accessibility | 71 | | Best Practices | 77 | | SEO | 100 | --- ## Security ### Security Headers (C — 55/100) *5 of 10 headers properly configured* - **[WARNING]** HSTS max-age is too short (7889238s, should be ≥ 31536000s) — A short max-age leaves a window for downgrade attacks. Set max-age to at least 31536000 (1 year). - **[PASS]** X-Content-Type-Options is properly configured - **[PASS]** X-Frame-Options is properly configured - **[WARNING]** Referrer-Policy header is missing — Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter. - **[WARNING]** Permissions-Policy header is missing — Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features. - **[PASS]** Content-Security-Policy is present - **[WARNING]** Cross-Origin-Opener-Policy header is missing — COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'. - **[WARNING]** Cross-Origin-Embedder-Policy header is missing — COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers. - **[PASS]** X-Powered-By header is not present - **[PASS]** Server header is present without version info ### Content Security Policy (B — 75/100) *3 of 10 CSP checks passed* - **[INFO]** Raw CSP policy - **[WARNING]** default-src directive is missing — default-src provides a fallback for other directives. Set it to restrict default resource loading. - **[INFO]** No script-src or default-src to check for 'unsafe-inline' - **[INFO]** No script-src or default-src to check for 'unsafe-eval' - **[INFO]** No script-src or default-src to check for wildcard - **[PASS]** object-src falls back to default-src - **[WARNING]** base-uri directive is missing — Without base-uri, attackers can inject a tag to hijack relative URLs. Set it to 'self' or 'none'. - **[PASS]** frame-ancestors directive is set - **[WARNING]** form-action directive is missing — form-action restricts where forms can submit data, preventing form hijacking. - **[PASS]** upgrade-insecure-requests is enabled ### TLS & Certificates (A+ — 100/100) *TLS 1.3, 7 checks passed* - **[PASS]** TLS 1.3 is used - **[PASS]** Strong cipher suite is used - **[INFO]** HTTP/2 is not negotiated — HTTP/2 provides multiplexing and header compression for better performance. - **[PASS]** Certificate is valid (expires in 80 days) - **[PASS]** Certificate chain has 2 certificates - **[PASS]** Certificate uses modern signature algorithm - **[PASS]** Certificate covers 1 domain(s) - **[PASS]** Certificate is issued by a trusted CA ### Cookie Security (D — 50/100) *3 cookies analyzed, 3 checks passed* - **[CRITICAL]** Cookie 'localization' is missing the Secure flag — Without the Secure flag, this cookie can be sent over unencrypted HTTP, exposing it to interception. - **[WARNING]** Cookie 'localization' is missing the HttpOnly flag — Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft. - **[WARNING]** Cookie 'localization' has no SameSite attribute — Without an explicit SameSite attribute, browser default behavior varies. Set SameSite=Lax or Strict. - **[CRITICAL]** Cookie 'cart_currency' is missing the Secure flag — Without the Secure flag, this cookie can be sent over unencrypted HTTP, exposing it to interception. - **[WARNING]** Cookie 'cart_currency' is missing the HttpOnly flag — Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft. - **[WARNING]** Cookie 'cart_currency' has no SameSite attribute — Without an explicit SameSite attribute, browser default behavior varies. Set SameSite=Lax or Strict. - **[PASS]** Cookie '_shopify_essential' has the Secure flag - **[PASS]** Cookie '_shopify_essential' has the HttpOnly flag - **[PASS]** Cookie '_shopify_essential' has SameSite=Lax --- ## Advanced Security ### Subresource Integrity (F — 20/100) *0 of 62 external resources have SRI* - **[WARNING]** External script from shopify-extension.getredo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.attn.tv lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from rapid-cdn.yottaa.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.refersion.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from a.glosku.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-app.cart-bot.net lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from js.klevu.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-scripts.signifyd.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.jsdelivr.net lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from nosto.stackla.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from www.googletagmanager.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.cookielaw.org lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from a42cdn.usablenet.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from shop.app lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from na-library.klarnaservices.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from config.gorgias.chat lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from content.9gtb.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from config.gorgias.help lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from app.cart-bot.net lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from d3hw6dc1ow8pp2.cloudfront.net lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-static.okendo.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-static.okendo.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-widgetsrepository.yotpo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from static.klaviyo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.506.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from widget.gotolstoy.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from widget.gotolstoy.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from play.gotolstoy.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from orgec.colourpop.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External link from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.attn.tv lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-static.okendo.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External link from cdn-static.okendo.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-static.okendo.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-static.okendo.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-static.okendo.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-widgetsrepository.yotpo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-widgetsrepository.yotpo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from static-tracking.klaviyo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from static-tracking.klaviyo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from static-tracking.klaviyo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from static.klaviyo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from static.klaviyo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from static-tracking.klaviyo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from static.klaviyo.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-app.cart-bot.net lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.attn.tv lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External link from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External link from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External link from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External link from cdn.appmate.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External link from cdn-static.okendo.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn-static.okendo.io lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.attn.tv lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from static.shopmy.us lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.9gtb.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. - **[WARNING]** External script from cdn.shopify.com lacks integrity attribute — Without SRI, if this CDN is compromised, attackers could inject malicious code. ### JS Library Vulnerabilities (A+ — 100/100) *No known vulnerabilities* - **[PASS]** No known JavaScript library vulnerabilities detected ### Information Leakage (A+ — 100/100) *No exposures* - **[INFO]** No security.txt found — Consider adding a security.txt at /.well-known/security.txt. - **[PASS]** No sensitive files exposed ### Email Security (A+ — 100/100) *DMARC: reject* - **[PASS]** DMARC policy is reject — strongest protection ### Permissions-Policy (D — 40/100) *No header set* - **[WARNING]** No Permissions-Policy header — Consider adding a Permissions-Policy header to restrict browser feature access from embedded content. ### CORS Configuration (B — 80/100) *No CORS headers* - **[PASS]** No CORS headers present — secure default --- ## Performance ### Page Weight Budget (F — 0/100) *7.5 MB transferred, 685 requests* - **[CRITICAL]** Page weighs 14.1 MB (7.5 MB transferred) - **[WARNING]** Images are 4.0 MB — compress or use modern formats — Convert images to WebP/AVIF and resize to display dimensions to reduce transfer size. - **[WARNING]** JavaScript is 2.0 MB — consider code splitting or lazy loading — Large JavaScript bundles delay interactivity. Split code by route or defer non-critical scripts. - **[WARNING]** 685 HTTP requests — consider bundling or reducing — Each request adds latency. Bundle small files, use sprites, or eliminate unnecessary requests. - **[INFO]** Estimated 1.6 g CO2 per page load ### Third-Party Impact (B — 70/100) *44% third-party, 0 ms blocking* - **[INFO]** Third-party code accounts for 44% of page weight (3.3 MiB of 7.5 MiB) - **[PASS]** Third-party blocking time is low (0 ms) ### Text Compression (A+ — 100/100) *All text resources are compressed* - **[PASS]** All text resources are compressed ### Image Optimization (B — 75/100) *277 images, 0 KB saveable* - **[PASS]** All images are well-optimized ### JS Execution Cost (F — 20/100) *25214ms total JS execution* - **[WARNING]** Unattributable: 8037ms CPU time - **[WARNING]** https://colourpop.com/: 4685ms CPU time - **[WARNING]** https://colourpop.com/cdn/shop/t/1219/assets/chunk...: 1883ms CPU time - **[WARNING]** https://imgs.signifyd.com/7FReSCJI_usr_owJ?ad214aa...: 1782ms CPU time - **[WARNING]** https://cdn-scripts.signifyd.com/o/lite.js?session...: 961ms CPU time - **[WARNING]** Third-party scripts: 15448ms (61% of total) ### Font Loading (A+ — 100/100) *3 fonts (115 KB)* - **[INFO]** 3 font(s) use font-display: swap (FOUT risk but functional) ### JS Bundles (D — 40/100) *295 scripts, 453 KB unused* - **[WARNING]** https://www.googletagmanager.com/gtm.js?id=GTM-WQK...: 67 KB unused (43%) — Consider code splitting or tree shaking to reduce unused code. - **[WARNING]** https://www.googletagmanager.com/gtm.js?id=GTM-WQK...: 67 KB unused (43%) — Consider code splitting or tree shaking to reduce unused code. - **[WARNING]** https://cdn.506.io/eg/script.js?shop=colourpop-prd...: 52 KB unused (67%) — Consider code splitting or tree shaking to reduce unused code. - **[WARNING]** https://na-library.klarnaservices.com/v1/1.0.111/s...: 52 KB unused (48%) — Consider code splitting or tree shaking to reduce unused code. - **[WARNING]** https://play.gotolstoy.com/widget-v2/widget.js: 47 KB unused (59%) — Consider code splitting or tree shaking to reduce unused code. - **[INFO]** Total unused JavaScript: 453 KB ### Resource Caching (A+ — 100/100) *All resources properly cached* - **[PASS]** No caching issues found ### Critical Rendering Path (A+ — 100/100) *No render-blocking resources* - **[PASS]** No render-blocking resources detected ### Resource Hints (A+ — 100/100) *6 hints, 0 missing preconnects* - **[PASS]** Page uses 6 resource hint(s) ### Render-Blocking Resources (A+ — 100/100) *No render-blocking resources detected* - **[PASS]** No render-blocking resources detected in ### Third-Party Resources (A+ — 100/100) *No third-party resources detected* --- ## Content Quality ### Links (F — 40/100) *200 links checked, 119 healthy, 81 broken* - **[CRITICAL]** 119 of 200 links are healthy - **[WARNING]** Broken link: https://a.glosku.com/shopify-client/glosku-bundle.js?shop... — Found in