Session replay tools like FullStory and Hotjar record your mouse, keystrokes, and scrolling. See how they work, how to spot them, and how to limit the risk.
Yes — a growing number of websites run session replay scripts that quietly capture your mouse movements, keystrokes, taps, and scrolling so someone on the other end can watch a video-like reconstruction of your visit later. Tools in this category, most notably FullStory and Hotjar, are sold as UX-research analytics, but by default they log far more than clicks and page views: they can reconstruct nearly everything you did on a page, sometimes including text you typed into fields the site never meant to expose.
Key Takeaways
- Session replay scripts (FullStory, Hotjar, and similar tools) record mouse movement, keystrokes, taps, scrolling, and DOM changes to reconstruct a "replay" of your visit.
- They work by attaching listeners to input, mouse, and scroll events and observing DOM mutations — the same browser APIs any page can use, just aimed at surveillance instead of features.
- Recording is opt-out by design in most implementations: sites must actively mask sensitive fields, and audits have repeatedly found that masking is incomplete.
- You can often spot session replay by inspecting a page's loaded scripts and network requests for known vendor domains, or by watching for suspiciously verbose beacon traffic on every keystroke.
- Content blockers, script-blocking extensions, and disabling JavaScript for unfamiliar sites all reduce exposure; there's no single toggle that opts you out everywhere.
What Session Replay Actually Captures
A session replay script isn't just counting page views — it's building a recording. Depending on configuration, it can capture:
- Mouse movement and clicks — the exact path your cursor traveled, including hovers over elements you never clicked
- Keystrokes and form input — characters typed into text fields, sometimes before you submit the form
- Scrolling and viewport changes — how far you scrolled, how long you paused, and what was visible on screen at each moment
- DOM mutations — elements that appeared, disappeared, or changed as you interacted with the page, letting the tool reconstruct the page's visual state frame by frame
Combined, these signals let an analyst (or an automated dashboard) scrub through a timeline and watch your session almost exactly as you experienced it — cursor and all.
How FullStory- and Hotjar-Class Tools Work
Session replay vendors ship a small JavaScript snippet that a site adds to every page, the same way it would add Google Analytics. Once loaded, the script attaches listeners to standard browser events — mousemove, keydown, scroll, input — and watches the DOM for changes using observer APIs like MutationObserver. Nothing about this requires special browser permissions; it's the same event model every interactive web page already relies on, just wired up to log rather than to render a feature.
The captured events are batched and sent back to the vendor's servers, where they're reassembled into a scrubbable "replay" — effectively a video of your session synthesized from raw interaction data rather than actual pixels. Most vendors provide a masking API so a site can flag specific fields (like a credit card number) as "do not record," but that masking has to be applied deliberately, field by field, by whoever integrates the script. According to the EFF's research into corporate surveillance technology, session replay tools have repeatedly been found to leak data their masking was supposed to protect — including medical information, credit card numbers, and passwords — because filtering out sensitive fields is "subtle, painstaking, and time-consuming," and sites frequently get it wrong or skip it entirely.
How to Detect Session Replay Scripts on a Page
You don't need special tools to notice most session replay integrations — they leave visible traces if you know where to look.
- Check the page's script sources. Open your browser's developer tools, go to the Network tab, and reload the page. Look for requests to known session replay domains (FullStory typically loads from
fullstory.com, Hotjar fromhotjar.comorstatic.hotjar.com). A script tag pointing at one of these is a strong signal. - Watch for per-keystroke or per-move network traffic. Session replay scripts frequently batch and flush small POST requests as you interact with the page. If you see a steady trickle of outgoing requests every time you move the mouse or type, that's consistent with replay logging rather than ordinary analytics, which usually fires once per page view.
- Inspect global variables. Many session replay snippets attach an identifiable object to
window(for example, a vendor-specific namespace). Typing the vendor's expected global into the console after the page loads can confirm the library is present. - Look at the page source for the loader snippet. Like most third-party scripts, session replay loaders are typically inserted as a small inline
<script>block near the top of the page — visible in "View Page Source" even before anything renders.
None of these checks are foolproof on their own — a site can self-host or rename a script to make it harder to spot at a glance — but together they catch the overwhelming majority of real-world deployments, since most sites use the vendor's script largely as-is.
Privacy Risk and Mitigation
The core risk isn't that session replay exists — plenty of legitimate UX research relies on it — it's that recording is opt-out by design rather than opt-in, and the burden of protecting sensitive data falls entirely on whoever configures the script correctly. A form field a developer forgot to mask, a password manager's autofill firing before a mask rule applies, or a support agent scrubbing through a replay that happens to include a typo-then-corrected credit card number are all realistic failure modes, not hypothetical ones.
A few practical steps reduce your exposure:
- Use a content-blocking extension. Most ad and tracker blockers maintain filter lists that already include major session replay vendor domains, blocking the script before it can attach any listeners.
- Disable JavaScript for sites you don't trust, where practical — session replay has no fallback path without it, since it depends entirely on client-side script execution.
- Be deliberate on forms with sensitive data. If a site's behavior (a live-typing preview, unusual lag) suggests something is watching input in real time, avoid typing sensitive values you wouldn't want stored verbatim.
- Check your own exposure. BrowserInsight's browser extension and script check can help surface active scripts and add-ons running in your browser session, and our browser extensions privacy guide covers the parallel risk of extensions reading the same data session replay scripts do — from the other direction.
Putting It Together
Session replay is a good example of a browser feature working exactly as designed and still producing a real privacy problem: nothing about mousemove listeners or MutationObserver is malicious in isolation, but pointed at unmasked form fields and shipped to a third party, the aggregate picture is a recording of your session that you never explicitly agreed to. It sits alongside other automated-collection techniques covered in our bot detection techniques guide — both rely on scoring or logging ordinary browser signals, just toward very different ends.
Frequently Asked Questions
Is session replay the same as screen recording?
Not quite. Session replay doesn't capture actual video or pixels — it logs discrete events (mouse position, keystrokes, DOM changes) and reconstructs a visual playback from that data afterward. The result looks like a screen recording, but no video file is ever captured on your device.
Can session replay scripts see my password?
They shouldn't, if the site has correctly masked password fields — most vendors exclude type="password" inputs by default. The risk is other sensitive fields (SSNs, card numbers, medical details typed into free-text boxes) that a site's developers didn't think to mask, which independent audits have found happens more often than vendors intend.
Do I have to accept session replay tracking?
There's no universal opt-out, since it's implemented per-site rather than through a browser-wide standard like Do Not Track. A content blocker that filters known vendor domains is the most reliable way to prevent it site-by-site; some jurisdictions' privacy laws also require consent banners to disclose it, though enforcement varies widely.
How is session replay different from ordinary web analytics?
Standard analytics (page views, click counts, aggregate funnels) records what happened in summary form. Session replay records how it happened at the level of individual mouse and keystroke events, then lets someone watch an individual visitor's session play back — a much finer-grained and more identifiable form of data collection.

