Protect Your Forms from FullStory
FullStory captures complete user sessions with DOM snapshots. Form values, including passwords, are recorded in their cloud.
The Problem
Right now, FullStory can do this on your website:
// FullStory captures:
document.querySelector("input[type=password]").value
// "MyBankPassword123" ← captured and stored
With SmartField
FullStory still runs. But SmartField fields return only encrypted data:
// FullStory captures:
document.querySelector("smart-field").value
// "eyJ2IjoxLCJpdiI6..." ← useless encrypted payload
The screen shows cipher characters: ΣΩΔψξλμπ
Implementation
<script src="https://cdn.smartfield.dev/v1/smartfield.js"></script>
<smart-field type="password" encrypt-key="/api/sf-key"
placeholder="password"></smart-field>
2 lines. Your forms are now invisible to FullStory.
Frequently Asked Questions
How does SmartField protect against FullStory?+
SmartField stores no real data in the DOM. FullStory can only capture cipher characters and encrypted payloads. The real user data is in a WeakMap inside a closed Shadow DOM, invisible to any recording tool.
Do I need to remove FullStory from my site?+
No. SmartField works alongside FullStory. You keep your analytics. SmartField just ensures sensitive fields are encrypted. FullStory records everything except SmartField data.
Is this proven?+
SmartField passed 20/20 automated attack vectors and 15/15 bot attacks (Playwright + Headless Chromium). Four AI models (GPT, Claude, Gemini, Grok) could not read a single character.
Related