Protect Your Forms from Hotjar
Hotjar records user sessions, including form inputs. Every keystroke your users type is captured and stored on Hotjar servers.
The Problem
Right now, Hotjar can do this on your website:
// Hotjar captures:
document.querySelector("input[type=password]").value
// "MyBankPassword123" ← captured and stored
With SmartField
Hotjar still runs. But SmartField fields return only encrypted data:
// Hotjar captures:
document.querySelector("smart-field").value
// "eyJ2IjoxLCJpdiI6..." ← useless encrypted payload
The screen shows cipher characters: ΣΩΔψξλμπ
Implementation
<script src="https://cdn.smartfield.dev/v1/smartfield.js"></script>
<smart-field type="password" encrypt-key="/api/sf-key"
placeholder="password"></smart-field>
2 lines. Your forms are now invisible to Hotjar.
Frequently Asked Questions
How does SmartField protect against Hotjar?+
SmartField stores no real data in the DOM. Hotjar can only capture cipher characters and encrypted payloads. The real user data is in a WeakMap inside a closed Shadow DOM, invisible to any recording tool.
Do I need to remove Hotjar from my site?+
No. SmartField works alongside Hotjar. You keep your analytics. SmartField just ensures sensitive fields are encrypted. Hotjar records everything except SmartField data.
Is this proven?+
SmartField passed 20/20 automated attack vectors and 15/15 bot attacks (Playwright + Headless Chromium). Four AI models (GPT, Claude, Gemini, Grok) could not read a single character.
Related