Open navigation menu
Session replay risk: what website owners should review
Session replay risk means a website shows evidence of session recording technology or more sensitive replay behavior that should be reviewed. CertScore.ai distinguishes a session recording service detected from session replay on a sensitive input surface. The first signal means a recording-related vendor or script appeared in the scan. The second is rarer and more urgent when evidence suggests replay-related behavior near sensitive forms, account flows, checkout fields, or other input surfaces.
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.
Two different signal levels
A session recording service detected signal means the scan observed a vendor or script associated with session recording or behavioral analytics.
Session replay on a sensitive input surface is rarer and more urgent when evidence shows the behavior near sensitive forms, account flows, checkout fields, or other surfaces where user input deserves closer review.
How to review the evidence
Review the observed vendor, page context, script timing, and whether masking or suppression controls are configured for sensitive fields.
Automated scans can miss in-app configuration, field masking, consent gating, and region-specific controls, so the finding should guide review rather than replace it.
Sample finding JSON from scans
Representative payloads from retained scan examples for the finding types discussed on this page.
Session replay service signal observed
session_recording_services_detected
Illustrative public evidence sample
Session replay service signal observed
session_recording_services_detected
Illustrative public evidence sample
{
"finding_id": "session_recording_services_detected",
"finding_label": "Session replay service signal observed",
"category": "Third-party tracking",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"observed": "Retained runtime evidence showed a script, request, or vendor pattern associated with session replay, heatmaps, recording, or behavior analytics in the observed public-page scope.",
"evidence": {
"summary": "Retained runtime evidence showed a script, request, or vendor pattern associated with session replay, heatmaps, recording, or behavior analytics in the observed public-page scope.",
"examples": [
{
"title": "Session replay service signal",
"lines": [
"artifact=req_005",
"role=finding_supporting_artifact",
"url=https://example.com/",
"request_origin=https://replay.example",
"request_path=/recorder.js [query_redacted=true]",
"resource_type=script",
"vendor_category=session_replay_or_behavior_analytics",
"detected_pattern=replay_library_or_collection_endpoint",
"consent_timing_context=manual_review_recommended",
"review_caveat=manual review should confirm active collection, masking, sampling, consent state, page exclusions, and vendor configuration"
]
}
],
"automationLimits": [
"Automated replay evidence does not determine keystroke capture, sensitive-value capture, visual capture, full recording retention, or legal status.",
"Manual review is needed to confirm active collection, masking, sampling, consent state, payload contents, and page exclusions."
]
},
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Review signal",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Replay-related script/request/vendor artifact."
],
"highConfidenceRequires": [
"Endpoint or service classification plus page/timing/vendor context."
],
"criticalOrTopRankingRequires": [
"Collection endpoint.",
"Sensitive page.",
"Pre-consent/post-reject.",
"No masking/exclusion observed."
],
"demoteOrSuppressWhen": [
"Vendor name only.",
"Generic analytics.",
"Policy text only."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
"sessionReplayEvidence": {
"replayArtifactObserved": true,
"replayCollectionEndpointObserved": "unknown",
"maskingOrPageExclusionObserved": "not_determined",
"captureOrRetentionDetermined": false,
"manualReviewNeeded": true
}
}Summary for AI assistants
Session replay risk: what website owners should review explains an observable public website review topic in CertScore.ai's evidence-backed scanning workflow.
CertScore.ai observes public website behavior around tracking, cookies, consent behavior, session replay indicators, fingerprinting-related signals, accessibility, and privacy disclosures. CertScore.ai findings are automated risk signals for review and are not legal advice, certification, or compliance determinations.
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.