Protect Your Forms from Session Replay Tools
Session replay tools (Hotjar, FullStory, Clarity, LogRocket) record everything users type. Your sensitive form data ends up on third-party servers.
The Problem
Right now, Session Replay Tools can do this on your website:
// Session Replay Tools captures:
document.querySelector("input[type=password]").value
// "MyBankPassword123" ← captured and stored
With SmartField
Session Replay Tools still runs. But SmartField fields return only encrypted data:
// Session Replay Tools captures:
document.querySelector("smart-field").value
// "eyJ2IjoxLCJpdiI6..." ← useless encrypted payload
The screen shows cipher characters: ΣΩΔψξλμπ
Implementation
<script src="https://cdn.smartfield.dev/v1/smartfield.js"></script>
<smart-field type="password" encrypt-key="/api/sf-key"
placeholder="password"></smart-field>
2 lines. Your forms are now invisible to Session Replay Tools.
Frequently Asked Questions
How does SmartField protect against Session Replay Tools?+
SmartField stores no real data in the DOM. Session Replay Tools can only capture cipher characters and encrypted payloads. The real user data is in a WeakMap inside a closed Shadow DOM, invisible to any recording tool.
Do I need to remove Session Replay Tools from my site?+
No. SmartField works alongside Session Replay Tools. You keep your analytics. SmartField just ensures sensitive fields are encrypted. Session Replay Tools records everything except SmartField data.
Is this proven?+
SmartField passed 20/20 automated attack vectors and 15/15 bot attacks (Playwright + Headless Chromium). Four AI models (GPT, Claude, Gemini, Grok) could not read a single character.
Related