Pixel and Policy | HARstack · Captures Home Local only
Open the audit tool →
HARstack · Capture guide

One audit is not the audit.

A homepage capture shows the visit-time tracking surface. A form-submit capture shows the conversion-time exposure. A pre-consent capture shows what fires before the user agrees to anything. They are different audits. Run more than one.

← Back to the audit tool

HARstack reads one HAR file at a time. The report you get is faithful to that file. It is not, on its own, an audit of your site. A site can look clean on the homepage and look like a serious exposure on the form submit. The same homepage with GPC on and GPC off can produce two different reports. The same checkout flow on mobile and desktop can fire different trackers.

This page is a guide to the kinds of captures worth running, what each one shows, and how to do it. Some are quick and obvious. A few are the captures that meaningfully change how you understand your stack.

The short version. If you run only one capture, run a homepage capture in Firefox Private. If you run only two, add a form-submit capture in the same browser. If you can run three, add a GPC-on capture in Brave with default settings. Most other captures on this page are refinements of those three.
1
Capture type
The homepage capture
Always run

This is the baseline. Open your homepage in a fresh browser session, capture, and audit. The report tells you what fires the moment a visitor arrives, before any interaction, before any consent decision, before any form. This is the tracking surface every visitor encounters, including the ones who leave after three seconds.

A homepage capture answers one question very well: what do we ship by default? Everything else in this guide is some variation of "and what happens when the user does X?"

What HARstack surfaces
Tracker inventory · third-party domain map · CMP load order and timing · GPC response · cookies set on first contact · body-fingerprint detection for first-party-proxied trackers · the "no CMP detected" finding if you are missing one.

Recommended browser: Firefox Private Window. Exports the most complete HAR file. Includes full response bodies, which enables HARstack's body-fingerprint scanner to catch trackers hiding behind first-party subdomains.

  1. Open Firefox Private Window with Ctrl+Shift+P or ⌘+Shift+P
  2. Open DevTools with F12 and click the Network tab
  3. Navigate to your homepage. Watch the Network panel fill
  4. Wait until network activity quiets down. Five to ten seconds after page load is usually enough
  5. Right-click anywhere in the Network panel and choose Save All As HAR

Do not log in. Do not click anything else first. The homepage capture is about the default state.

2
Capture type
The form-submit capture
High value

This is the capture that earns its name. A homepage capture shows the tracking that runs on arrival. A form-submit capture shows the tracking that runs at the moment a visitor hands over a name, email, phone number, or anything else. Those are two different exposures and they deserve two different audits.

When a user submits a contact form, a lead form, a newsletter sign-up, or any form that takes their information, your stack does things that are invisible on the homepage. It hashes their email and sends it server-side to ad platforms. It fires conversion pixels with their data attached. It may capture the field values themselves in a session-replay recording. None of this shows up if you only ever capture the homepage.

If you only run one capture beyond the homepage, run this one.

What HARstack surfaces
Hashed PII in POST bodies (Meta CAPI, Reddit CAPI, Google Enhanced Conversions, TikTok Events) · raw PII in POST bodies (form values shipped to third parties unhashed) · session-replay payloads containing form field contents · the consent-enforcement-gap finding when trackers fire despite a consent denial · the body-fingerprint scanner picking up tracker payloads served from first-party subdomains.

The key trick: keep DevTools recording across the submit. The HAR has to contain the POST request and any third-party requests fired as a result of the submit. If you stop recording too early, you capture only the page load and the audit will read like a homepage capture.

  1. Open Firefox Private Window. Open DevTools, Network tab
  2. Navigate to the page with the form
  3. Fill the form with realistic but disposable values. Use [email protected] rather than something tied to an actual person
  4. Verify DevTools is still recording — the red record dot should be on. Submit the form
  5. Wait for any thank-you or confirmation page to fully load. Wait another five to ten seconds. Most CAPI calls fire on a small delay
  6. Right-click the Network panel → Save All As HAR

If your form is part of a multi-step funnel, capture through to the step where the data is actually committed. Some funnels collect a name on step one but only POST the data after step three.

Sanitize concern. The HAR will contain the form values you typed. HARstack processes it locally in your browser. If you share the file with anyone, use the Export Sanitized HAR button in the report. That export strips request bodies, response bodies, cookie values, and credentials while keeping the URLs and field paths the audit was based on.

3
Capture type
The checkout or payment capture
Critical for e-commerce / fintech

A checkout flow is a form-submit capture with stakes. The data fields are not just contact information; they include payment card numbers, billing addresses, transaction amounts, and sometimes account or routing information. The trackers that fire during checkout are often configured to capture purchase value and customer identifiers for ad attribution.

If your site has a payment flow, this capture is the most important audit you can run. The information involved is more sensitive than a lead form. Mistakes here are more expensive and the regulatory framing is heavier. Run this capture before you launch any new ad pixel, any new analytics SDK, any new third-party integration that touches the checkout page.

What HARstack surfaces
Payment-related fields appearing in third-party POST bodies · session replay recording on pages where card numbers are entered · purchase-event payloads to ad platforms including transaction value and order ID · CDP events tagged with customer identifiers · cookies set with cross-domain scope during checkout.

Same workflow as the form-submit capture, with extra care about test data and what happens after.

  1. Open Firefox Private. DevTools, Network tab
  2. Navigate through your funnel: product → cart → checkout
  3. If you have a test card or sandbox mode, use it. Do not put a real card in for an audit capture you might keep on disk or share. If you have to use a real card, plan to delete the HAR after running it through HARstack
  4. Complete the purchase or, if there is a final "place order" button, capture up to but not including it if your sandbox cannot process the transaction
  5. Wait for the confirmation page or post-purchase page to fully settle
  6. Export the HAR

If your checkout is hosted on a payment processor's domain (Stripe Checkout, Shopify Checkout, a separate subdomain you do not control), the HAR will only show what fires on the pages you load. The processor's domain is the processor's problem. But the pre-checkout and post-checkout pages on your domain are still yours.

If you process payments through embedded BaaS (Thread Bank, Bond, Marqeta, Unit), your stack is subject to GLBA. The trackers that fire on pages where account or payment information is entered are evaluated against the Safeguards Rule, not just the FTC Act. HARstack does not make this determination for you, but a finding involving a session-replay tool on a money-movement page is the finding that warrants the most urgent investigation.

4
Capture type
The authenticated page capture
Run if you have a login

What trackers fire on a page only your logged-in users see? Many sites apply consent and tracking rules to their public pages and then carry a different, looser configuration through to the authenticated experience. A dashboard, an account settings page, or a transaction history page may be carrying tracking it should not.

The other thing this capture surfaces: identity. Once a user is logged in, your stack knows who they are. If a tracker fires on an authenticated page, that tracker can now associate behavior with a specific person, not just a browser fingerprint. The privacy implication of session replay on a logged-out marketing page is different from session replay on a logged-in account page, even if it is the same tool with the same configuration.

What HARstack surfaces
Trackers fired on authenticated pages that should not be there · user identifiers appearing in POST bodies to third parties · cookies that persist across the auth boundary and may now be associated with a known user · CDP identify calls that ship user IDs to ad platforms that did not have them before.

Use a test account. Not your own. The HAR will contain whatever session cookies and user IDs are associated with the account you used.

  1. Create or use a test account dedicated to audits. Note the account ID somewhere
  2. Open Firefox Private. Log in to the test account through your normal sign-in flow
  3. Once you are inside the app, open DevTools, Network tab. Reload the page so the Network panel captures the authenticated load from the start
  4. Navigate to whichever authenticated pages you most want audited: dashboard, account settings, transaction history, profile
  5. Export the HAR

Run this capture more than once for sites with multiple distinct authenticated surfaces. The trackers on an admin dashboard often differ from the trackers on a customer-facing account page.

Sanitize concern. The HAR will contain session cookies that belong to the test account. The Export Sanitized HAR button strips these before any sharing. Or delete the test session after the audit.

5
Capture type
GPC-on vs GPC-off comparison
The compliance test

Global Privacy Control is a signal a visitor's browser sends that says, in effect, "do not sell or share my data." The right thing for a site to do when it receives this signal is to suppress the trackers that sell or share data. The wrong thing is to keep firing them anyway. The difference between right and wrong is enforceable under California law.

You cannot tell from a single capture whether your site is doing the right thing. You can only tell by capturing twice — once with GPC active, once without — and comparing what fires. If the GPC-on capture shows the same advertising trackers firing as the GPC-off capture, your site is not responding to the signal. That is a finding.

The same workflow tests something else worth knowing: pre-consent vs post-consent behavior. Capture the site before you click "Accept" on the consent banner. Then capture again after. If the two captures look the same, your consent banner is decorative. If they differ, the gating is real.

This capture tells you whether your stack responds to the signal. The consent-flip capture below tells you how it responds — whether the consent state was actually propagated to each ad platform, or whether the trackers fired with their default-granted state because nothing wired the signal through.

What HARstack surfaces
The "GPC verified active in HAR" indicator confirms the signal was actually present in the request headers · the consent-enforcement-gap finding flags sale-and-sharing trackers that fired despite GPC · the CMP load order and timing tells you whether consent state was even resolved before trackers fired · the platform-by-platform breakdown shows which specific ad networks ignored the signal.

You need two captures, same page, same session shape, different signal posture.

  1. Capture A — GPC off. Open Firefox Private Window. Do not install a GPC extension. Navigate to the page. Export the HAR. Label it page-gpc-off.har
  2. Capture B — GPC on. Either use Brave (which ships GPC on by default), or open a fresh Firefox Private session with Privacy Badger or a dedicated GPC extension installed and verified active. Navigate to the same page. Export. Label it page-gpc-on.har
  3. Run both through HARstack separately. For the GPC-on capture, answer "Yes: GPC active" on Step 2. For the off capture, "No: no GPC signal"
  4. Compare the two reports side by side. The trackers that appear in both are the ones your stack is firing regardless of GPC

The same procedure tests the consent banner. Run one capture where you do not interact with the banner at all. Run a second where you accept everything. Compare. The trackers in the first capture are the ones that fire pre-consent, which should be a much shorter list than the second.

A practical note about Brave. Brave blocks more than just sale-and-sharing trackers; it also fingerprints requests and blocks third-party cookies. A Brave capture is informative, but it is a privacy floor, not a clean GPC test. For a strict GPC test, use Firefox with a GPC extension and Brave separately, then compare.

6
Capture type
The cross-page session capture
Run for funnels and shops

A real visitor does not land on your homepage and leave. They click around. They view two pages, three, sometimes more. They add to cart. They abandon. They come back. The captures so far in this guide are snapshots of single pages or single events. A cross-page session capture is the visit itself.

This capture surfaces cookie persistence and identity stitching. Some cookies are set on the homepage and never touched again. Some get re-read on every page. Some receive new values as the user navigates. Some trackers carry visitor identifiers from one page to the next, building a profile across the session that no single-page capture would reveal. If you want to understand what your stack actually learns about a visitor across a normal visit, this is the capture for that.

What HARstack surfaces
Long-lived cookies set early in the session · visitor and session identifiers carried across page loads · the same tracker firing on every page versus only on specific pages · CDP identity calls that progressively enrich a user profile as the session continues · third-party cookies that survive cross-domain navigation.

Keep DevTools recording across navigation. By default, Firefox and Chrome clear the Network panel on each page load. You need to disable that.

  1. Open Firefox Private. Open DevTools, Network tab
  2. In the Network panel, check the Persist Logs option (Firefox) or Preserve log option (Chrome). This tells DevTools to keep recording across page loads
  3. Navigate through a realistic visitor path. Homepage → category page → product page → add to cart → cart page. Or homepage → blog post → contact page → form submit
  4. Do not click around randomly. Pick a path that represents a real user journey for your site
  5. Once you reach the end of the path, export the HAR. It will now contain every request from every page in the session

HARstack reads the whole HAR. When the report runs against a multi-page HAR, the third-party domain table shows the union of every domain contacted across the session. The cookie summary reflects cookies set or modified at any point in the session. The total tracker count is the count of distinct trackers across the visit, not per page.

7
Capture type
The mobile viewport capture
Worth running once

A surprising number of sites fire different tags on mobile. Some load mobile-specific app-install banners. Some ship lighter analytics on small viewports to keep page weight down. Some fire heavier ad-tracking on mobile because mobile traffic is more valuable to specific platforms. If most of your visitors are on phones and you only ever audit on desktop, you are auditing the wrong site.

This capture is also a fast way to detect mobile-only third-party SDKs or scripts you may not have known were running.

What HARstack surfaces
Trackers that only fire on mobile-sized viewports · app-install banner integrations · mobile-specific advertising SDKs · differences in CMP behavior between desktop and mobile · cookies set with mobile-specific scopes or paths.

You do not need an actual phone. Browser DevTools include a device emulation mode that changes the viewport size, user agent, and other signals that determine how a site renders.

  1. Open Firefox Private. Open DevTools
  2. Click the responsive design mode icon (a small phone-tablet icon in the DevTools toolbar) or press Ctrl+Shift+M
  3. Select a mobile preset (iPhone, Pixel, Galaxy — any of them is fine for this purpose)
  4. Reload the page. Both the viewport and the user-agent string now look like a mobile device to your site
  5. Switch to the Network tab and capture as you would for any other capture type — homepage load, form submit, checkout, whichever you are comparing
  6. Export the HAR. Label it with the device preset you used

Caveat about native mobile apps. A HAR file captures browser traffic. It does not capture what a native iOS or Android app does. If your business has a real mobile app, the HAR audit covers the web side only. The app side requires separate tooling.

A finding warrants investigation. No findings does not mean compliant.

HARstack reads what your browser saw. It does not read your data processor agreements, your tag manager configurations, your server-side pipelines, your authenticated APIs, or your mobile apps. Every capture in this guide is a single window into your stack. The more captures you run, the more windows you have. None of them, individually, is the whole picture.

If a capture turns up something that looks like exposure, treat it as a starting point for an investigation. Confirm against your actual configuration. Check your contracts. Talk to your privacy counsel. The audit is the beginning of the conversation, not the end of it.

Ready to capture?

Open the HARstack audit tool. Walk through the wizard. Run your first audit in under five minutes.

Open the audit tool →