Web Auditor Findings Definitions

Comprehensive list of different findings the Web Auditor can detect, and what they mean.

  • Severity: Informational

This finding indicates that you are not using airgap.js to collect and enforce Consent on your website.

  • Severity: Varied
  • Requires: airgap.js being installed on the site being scanned.

"Unregulated" here means that airgap.js did not regulate the cookie at all -- that is, it did not have the chance to inspect the mutation/event and make a determination to block or allow based on user consent and bundle configuration.

We then assign different severity levels to the finding depending on the cookie's purposes as it was known by airgap.js at the time of the scan:

Level
InformationalA cookie marked with Essential purpose was stored without being regulated by airgap.js.
MediumA cookie not explicitly tagged with any tracking purpose was stored without being regulated by airgap.js.
HighA cookie that was explicitly tagged with a non-essential tracking purpose was stored without being regulated by airgap.js.
  • Severity: Varied
  • Requires: airgap.js being installed on the site being scanned.

"Unregulated" here means that airgap.js did not regulate the netwok request at all -- that is, it did not have the chance to inspect the mutation/event and make a determination to block or allow based on user consent and bundle configuration.

We then assign different severity levels to the finding depending on the cookie's purposes as it was known by airgap.js at the time of the scan:

Level
InformationalA network request was made to a domain tagged with Essential purpose without being regulated by airgap.js.
MediumA network request not explicitly tagged with any tracking purpose was made without being regulated by airgap.js.
HighA network request that was explicitly tagged with a non-essential tracking purpose was stored without being regulated by airgap.js.
  • Severity: Medium

A network request was made to a known Facebook Ads domain without the ldu (Limited Data Use) parameter.

Please review the official Facebook documentation to learn more.

  • Severity: Medium

A network request was made to a known Google Ads domain without the rdp (Restricted Data Processing) parameter. When Google Ads SDKs fire and the user has opted out, then the Restricted Data Processing parameter should be included.

Please review the official Google documentation to learn more.

  • Severity: Medium

A network request was made to a known Twitter Ads domain even though the user has opted out.

  • Severity: Medium

A network request was made to a known Pinterest Ads domain even though the user has opted out.

  • Severity: Medium

A network request was made to a known Tiktok domain even though the user has opted out.

  • Severity: Medium

A network request was made to a known Microsoft Advertising domain even though the user has opted out.