The plain explanation
Every time you visit a website, your browser sends dozens, sometimes hundreds, of requests to servers around the world. It fetches scripts, images, fonts, and data. Many of those requests go to third-party companies that you may never have heard of.
A HAR file (HTTP Archive) is a recording of all those requests. It captures what was sent, what came back, how long each request took, and what cookies were set. Think of it as a flight data recorder for a single page load.
This tool reads your HAR file and produces a structured inventory of every third-party domain your site contacts, every tracker that fires, every CDP event payload sent, and every consent enforcement gap detected. The output is designed to be exported and reviewed against your privacy policy separately.
Why you can't just click a button to generate one
There is no way for a webpage to automatically capture a HAR file on your behalf. HAR files can only be created through your browser's built-in developer tools, a set of diagnostic features built into every modern browser. This is a browser security boundary, not a limitation of this tool.
The good news: capturing a HAR file takes about two minutes and requires no technical knowledge. We recommend Firefox for the most complete results. Firefox exports full response body data by default, which enables the body fingerprint scanner. Chrome and Brave also work but may produce less complete results depending on export settings.
How to capture a HAR file, step by step
Recommended: Firefox
Firefox exports a complete HAR by default -- full response bodies, all cookie data, no sanitization. This gives HARstack the richest possible input.
Firefox (recommended)
- Open a Private Window in Firefox. On Mac:
⌘+Shift+P. On Windows: Ctrl+Shift+P. This gives you a clean session with no cached cookies.
- Press
F12 to open Firefox DevTools. Click the Network tab.
- Navigate to the page you want to audit. Watch the Network panel fill with requests as the page loads.
- Once the page has fully loaded, right-click anywhere in the Network panel request list and choose "Save All As HAR".
- Save the file to your desktop. The filename ends in
.har.
- Come back here and open the file using the selector in Step 1.
Chrome or Brave (fallback)
- Open an Incognito window in Chrome (
Ctrl+Shift+N / ⌘+Shift+N) or a Private window in Brave.
- Press
F12 → click the Network tab.
- Navigate to your page, then right-click in the Network panel and choose "Save all as HAR with content".
- Important (Chrome): if Chrome shows a dialog asking about sanitizing sensitive data, choose the unsanitized option. The sanitized export removes cookie and credential data that HARstack uses for analysis.
- Save the file and open it in Step 1.
What the HAR file contains
The HAR file contains a complete record of every network request your browser made, including the URLs contacted, request headers, response headers, cookies set, and the size and timing of each request. It does not include your browsing history from other tabs or sessions. It only captures the single page load you recorded.
If you were logged into your site when you captured the HAR, it may contain session tokens or authentication cookies. This is why the capture instructions specify Incognito mode: a fresh session produces a clean result that reflects what an anonymous first-time visitor experiences, not what a logged-in admin sees.
⚠ Do not share your HAR file with AI tools or online services
Because HAR files can contain session tokens and cookies, treat them as sensitive. This tool processes your HAR file entirely in your browser. Nothing is transmitted to any server. Do not open your HAR file in ChatGPT, Claude, or any cloud-based analyzer. The file you captured for an authenticated session is especially sensitive.
Which browser to use and when
Firefox Private Window ⭐ Recommended
Exports complete HAR files with full response bodies and all cookie data. No sanitization option to accidentally trigger. Enables body fingerprint detection. Best for thorough first-pass audits.
Chrome Incognito (+ GPC extension)
Shows what a typical visitor sees. No built-in tracker blocking. If you install a GPC extension, the Sec-GPC header fires. Use Chrome when you need to test site behavior specifically in Chrome, or when testing GPC signal response. Avoid the sanitize export option.
Brave (default settings)
Brave blocks third-party trackers natively and sends GPC by default. The difference between a Firefox result and a Brave result shows how much your stack leaks through even with aggressive blocking active. Useful for understanding your privacy floor.
For the most complete picture: run Firefox first for the full tracker inventory, then Brave to see what survives blocking. The gap between those two results is your actual exposure.