Pixel and Policy | HARstack
Capture Guide v2.0

What does your site actually do?

Upload a HAR file. Get a structured report: tracker inventory, third-party domain map, CDP payload analysis with raw and hashed PII detection, CMP identification and load order, GPC response, consent enforcement gaps. With regulatory citations and audit questions generated from your specific stack. Designed to produce a sanitized package for downstream policy cross-reference.

Scope Surface-level audit. One page. One session. Not a substitute for a comprehensive technical privacy audit. A finding warrants investigation. No findings does not mean compliant.
0
Preflight
Set up your browser first
Chrome: RequiredIncognito mode (⌘+Shift+N). Disable all extensions except GPC plugin. Incognito doesn't disable them by default. Turn off at chrome://extensions.
Brave: RecommendedGPC enabled by default. Same DevTools workflow. Run both to compare a typical vs. privacy-forward visitor experience.
The gap between Chrome and Brave results is itself a finding. It shows whether your site responds to privacy signals or just blocks them passively.
  • Chrome Incognito mode open
  • All extensions disabled except GPC
  • GPC plugin active and confirmed
  • Not logged into your own site
  • Fresh tab. No prior visits this session
  • Brave capture planned (optional)
0 / 6
1
HAR File
Capture your site's network traffic Firefox recommended
⚠ Do not open HAR files in ChatGPT, Claude, or any online service

A HAR file captures full request contents. Auth tokens, session cookies, API keys, and form data. Opening it in an AI tool or cloud service sends that data to infrastructure you don't control. That's the same category of exposure this tool detects on your site.

This tool processes everything locally in your browser. Nothing is transmitted anywhere. Verify by opening DevTools while using this tool. No outbound requests from your file.

✓ Local processing only. File never leaves your browser
How to capture a HAR file (2 minutes):

Recommended: Firefox. Firefox exports complete HAR files including full response bodies and all cookie data without modification. Chrome may omit response bodies and offers a sanitize option that removes data the analysis needs. Instructions below are for Firefox. Chrome steps follow.

Firefox (recommended)
  1. Open a new Private Window in Firefox (Ctrl+Shift+P / Cmd+Shift+P)
  2. Press F12 to open DevTools → click the Network tab
  3. Navigate to the page you want to audit
  4. Once loaded, right-click anywhere in the Network panel → Save All As HAR
  5. Save the file, then open it below
Chrome (fallback)
  1. Open an Incognito window in Chrome (Ctrl+Shift+N / Cmd+Shift+N)
  2. Press F12 → click the Network tab
  3. Navigate to the page you want to audit
  4. Right-click in the Network panel → Save all as HAR with content
  5. Important: if Chrome asks about sanitizing, choose the unsanitized option for complete analysis
📁
Open your .har file. Drag here or click to browse
Processed locally in your browser. The file is never transmitted anywhere
✓ File loaded:
2
GPC Signal
Was GPC active during capture?

Global Privacy Control tells sites "do not sell or share my data." Under CPRA § 1798.135(b) and CCPA Regulations § 7025, California businesses must honor it. The California Attorney General's August 2022 settlement with Sephora ($1.2 million) explicitly named GPC non-compliance as the CCPA violation.

Install Privacy Badger or GPC extension in Chrome to send a GPC signal. Brave sends it by default.
2b
Business Context
Help us calibrate regulatory framing

HARstack uses your answers to show which privacy laws are likely to apply to your situation. ECPA applies to all websites regardless of size. State comprehensive privacy laws have applicability thresholds based on revenue and the number of consumers whose data you process. IAPP US State Privacy Legislation Tracker

Annual gross revenue
Estimated annual unique individuals whose data you collect

These answers stay in your browser and are never transmitted. Skip this step to see full regulatory framing regardless of threshold.

3
Analyze
Run the audit
Not a comprehensive technical audit Examines one page capture. Does not cover authenticated pages, checkout flows, mobile app traffic, server-side tags, data processor agreements, or full tag configuration. Findings warrant investigation by qualified legal and technical counsel.
📡

Ready to audit

Complete the steps on the left and open your HAR file. Your audit report appears here.

Parsing HAR file... Identifying tracking technologies... Analyzing cookie persistence... Checking consent management load order... Checking consent enforcement gaps...

Export Sanitized HAR

Sanitized HAR
Analysis JSON
AI Prompt Block
What has been removed Request bodies · Response bodies · Authorization headers · Cookie values · Set-Cookie values · Form data · Bearer tokens · API keys (x-api-key, x-auth-token patterns) · Any header matching common credential patterns
What is retained Request URLs · Request method · Response status codes · Response headers (names only, values sanitized) · Cookie names (values stripped) · Request timing and load order · Content-Type headers

Safe to share with a compliance attorney, security vendor, or internal team. URLs and domains remain intact. They are the compliance-relevant data. All credential and session data has been stripped.

Preview (first 3 entries)
What this contains Flat array of requests. URL, method, status, identified tracker name and category, load order index, and cookie names set. No credential data. No response bodies. Optimized for sharing with technical reviewers or importing into spreadsheets.

Smaller and more readable than the full sanitized HAR. Suitable for sharing with developers, ad tech vendors, or anyone who needs the tracking surface without the full request log.

Preview (first 5 requests)
What this contains A ready-to-paste prompt block for Claude, ChatGPT, or any AI assistant. Includes the sanitized analysis JSON, audit findings summary, and a structured prompt asking for deeper analysis. No credential data included.
Important: re: HAR files and AI tools This prompt uses the sanitized Analysis JSON. Not your raw HAR file. The raw HAR file should never be pasted into an AI tool. This export removes all credential and session data before formatting it for AI analysis.

Paste this block directly into Claude or ChatGPT to get a second-pass analysis, additional regulatory framing, or help drafting a findings memo for legal counsel.

Prompt preview