Hello there again, TEDevelopers

Hope you’re doing good,

There is no privacy or security risk with this implementation because audits are not accessible randomly by people.

Only the ones who create them are actually having the permissions to access them.

You are suggesting enforcing ownership checks, but not sure how you came to the conclusion that there are no ownership checks – because there are and once again, there is no such issue with privacy and security.

Regards,

AltumCode.

Please test these URLs while logged out / in incognito:

https://seo.dev.eg/audit/2 https://seo.dev.eg/audit/3

They load full audit data without authentication or ownership validation, which confirms an IDOR-style exposure.

We can’t accept this behavior, as it puts our clients’ audit data at risk.

If you believe the current implementation is correct, please propose a concrete solution within the script to prevent public access to the audits we run for clients. At a minimum, access must require authentication and ownership checks.

We need your recommended fix to secure client audit data.

Are these URLs actually set as Public audits or are they set as private?

Regards,

AltumCode.

Check the details from the edits.

https://qr.dev.eg/seoaudit

Kindly share your website link, admin login and FTP details privately – I will take a look to see whats going on your side

You can share them privately via the contact form on my profile page or altumcode.com/contact

Regards,

AltumCode.

Done: Your message has been sent.

Thank you

I replied.

Regards,

AltumCode.

Thank you

This confirms the behaviour is correct -> https://send.altumco.de/fwdhi1l/

Set to public -> works logged out

Set to private -> does not work when logged out (it will only work on the same IP that generated the report even if logged out)

Regards,

AltumCode.

We want to clarify an important design decision before moving forward.

Our plan is to make website scanning and audits free and publicly accessible for everyone. Because of that, using URLs like /audit/1, /audit/2, and /audit/3 is not suitable, even if access control exists.

Numeric IDs:

Are not SEO-friendly

Are easily guessable

Don’t reflect the audited website

They are not appropriate for public audit reports

Since audits will be public by design, we need the audit URL to be a permalink based on the audited website, not an internal ID.

Example direction:

/audit/www-dev.eg

/audit/qr-dev-eg

or a sanitized/hashed version of the domain

This approach:

It is much more SEO-friendly

Makes public audit pages clear and shareable

Avoids exposing internal numeric IDs

Fits the “free public audit” model better

Please confirm:

If changing the audit output URL to a domain-based permalink is possible

Your recommended implementation (slug, normalized domain, hash, etc.)

How existing audits would be handled after this change

We need to move away from numeric audit IDs and align the URL structure with public audits.

I understand,

However – this is how the product was designed to work, and not on other types of URL slugs.

Since this is a particular decision that you personally want to take, it will be possible with custom work into the product files

But not by default and right now, its not something I can confirm that I will personally implement for the whole 66audit suite (since again, this is the first time someone has ever suggested or had any issue with this).

I can definitely say that I will take it into consideration for future updates based on what other customers will also suggest.

Regards,

AltumCode.

We understand this is how the product was originally designed.

However, we want to be very clear on something important from a business and market perspective.

This is the second product we’ve purchased from you, and we are not using it as a small internal tool. We are using it at agency scale, under a public brand, and as part of a free public audit model. Feedback coming from this level is not a “personal preference” — it reflects how large agencies and SaaS platforms think and operate.

When agencies at our level raise concerns or suggestions like this, it’s usually because:

We’ve seen similar models succeed or fail.

We design tools for public use, SEO visibility, and long-term trust.

We think in terms of scalability, adoption, and market growth.

Public audit URLs based on numeric IDs may work technically, but they do not align with:

Modern SaaS audit platforms

SEO-first public tools

Agency and enterprise expectations

We are not suggesting this only for our use case. We are suggesting it because this kind of improvement elevates the product to a higher market level, opens it to broader use cases, and makes it more attractive to agencies and serious buyers worldwide.

We strongly believe that listening to feedback from agencies actively deploying this at scale is an opportunity to evolve the product, not a criticism of its current design.

We hope you can reconsider this point from a business growth and product evolution perspective, not only from the original implementation scope.

I totally understand and appreciate your suggestion,

I will explain here 2 big issues with your suggestions

1 – You can not put the domain name or full URL in the actual url like this:

domain.com/audit/altumcode.com

Why? Because if another user wants to audit altumcode.com – he will get the same URL and he will access (as you’ve also said) potentially private information on past audits of altumcode.com

On the same note, this format would not work when auditing large links like:

altumcode.com/demo/page.php?link=1&another_link=2…etc

As you would not be able to fit such URL inside of domain.com/audit/URL_HERE

2 – using domain.com/audit/f0824015-bc2e-46cb-a123-7ff6d09df263 is much slower in terms of performance compared to using IDs as they currently are

the only “pro” in terms of this choice is the potential privacy aspect, but this also does not make sense – because all audits are public, therefore they will be indexable and they can be found on google and other search engines.

So this argument completely fails as well

Regards,

AltumCode.

Thanks for the detailed explanation — this helps clarify where the disconnect is.

We agree with you that:

Full URLs should not be stored directly in paths

Multiple audits of the same domain must not collide

Internal numeric IDs are optimal for performance and storage

However, we suggest not replacing your internal ID logic.

What we are proposing is a public URL layer decoupled from internal IDs, which is standard in public audit tools.

Proposed hybrid approach (no core logic break):

Keep numeric IDs internally (DB, relations, performance)

Expose domain-based permalinks publicly

Map domain → latest audit ID internally

Example:

Public: /audit/dev.eg → resolves to the latest audit ID internally

Internal: audit_id = 12345

Optional extensions:

/audit/dev.eg/history /audit/dev.eg?run=2024-09-18

This avoids:

ID exposure

Guessable URLs

Poor SEO structure

And solves:

Repeated audits of the same domain

Long URLs with parameters

Performance concerns

This is not a privacy-only argument — it’s about public SEO architecture and product positioning for agencies and SaaS use cases.

We’re not asking to remove your current design, only to add a public-facing routing layer on top of it.

This would significantly expand the product’s usability for:

Agencies

Public tools

SEO marketing funnels

We strongly believe this would elevate the product to the next level without breaking its core.

I kindly reply with asking, are these AI replies? As everything seems so robotic and typical AI. I would highly and kindly ask for you to not use AI to keep generating replies and use your own words and your own suggestions.

Using /audit/dev.eg (for example) to map to the latest audit is again incorrect, as the latest audit can be for dev.eg/page/contact-form and not the main domain.

Using date timestamps in URLs is also incorrect in terms of both performance and uniqueness, as with your proposal:

- Different users will have the same pathing for the same domains (incorrect based on your original privacy reasoning)

- You will have the same duplicated pathing for multiple audits on the same day due to the /audit/dev.eg?run= query in the URL

- You will also not be able to differentiate different pages on the domain

I kindly urge you to re-read what was said in this topic so that we do not go in circles due to AI responses that keep on suggesting different reasons that are completely context-less.

Regards,

AltumCode.

Hey there,

Good day to you,

Can you kindly let me know what URL did you test so I can try to reproduce this?

Regards,

AltumCode.

The URL was gamesbrowser.org, other SEO checkers locate the 404 page, such as https://phprank.lunatio.com/

Regarding word capture, if I have a page with static caching, it doesn’t count the words.

Hi there,

Good day to you,

There is no ChatGPT Business API, that is a plan for their app usage.

For API, you only have this: https://platform.openai.com/settings/organization/api-keys

Regards,

AltumCode.

Thank you for your return. I asked about the following aspects. Now we need to choose a chtgpt plan. That’s why I asked. There are 3 plans. Since you made the system, I can ask you about that.

You do not need to choose a chatgpt plan, as the API is paid based on your usage – not a fixed rate monthly like your personal chatgpt usage.

https://openai.com/api/pricing/

Regards,

AltumCode.

Ok, thanks.

Thank you as well,

Let me know if you have any other questions.

Regards,

AltumCode.

Hello sir, can you expand the demo a little bit? Can you activate the white factor artificial intelligence? We cannot create a package in the demo, why?

Hi,

Certain actions on the demo are not available for usage, but you can clearly see what the action would do – such as the package creation.

To see an example for the AI summary -> https://send.altumco.de/mupasfa/

Regards

AltumCode.

Hello sir, thank you for your return but unfortunately the package creation is not open but closed.

Hi,

Yes, you can not create packages on the demo as then everyone would create their own packages and spam the demo system. You can check the already created ones.

Assuming that with “packages” you are meaning “plans”? Are you referring to something else?

Regards,

AltumCode.

Hi

Hope you’re doing good, thank you for the comment

1 – White labelling settings are found in the account preferences page

2 – Export functions provide all the formats that you’d ever need, including PDF:

https://send.altumco.de/tbbjr1q/

3 – The user will have its branding removed/changed automatically based on his plan settings (removable branding option) and his white labeling settings

Regards,

AltumCode.

I found my white-labeling problem: you have to activate it additionally in the app-wide settings.

“Export PDF” is not “Print as PDF”: the user has to remove browser header & footer and there still remains the page navigation (top right corner)

Hi,

1 – Ah, you had it fully deactivated – glad you found it!

2 – The browser header and footer, again can be checked out to be removed. What remains are you referring to? Can you share a screenshot?

Regards,

AltumCode.

Solution for print / export to pdf issue: themes/altum/views/audit/index.php

Line 212: has to be

same with themes/altum/views/archived-audit/index.php line 226