How the Scanner Works
The ConsentForge scanner crawls your website using a headless browser and detects every third-party script, cookie, and tracker — whether it's in your HTML, loaded dynamically by JavaScript, or set server-side.
What the scanner detects
- Scripts — external JavaScript files loaded on the page
- Cookies — all cookies set during the page load (before and after consent simulation)
- iFrames — third-party embeds (YouTube, Google Maps, etc.)
- Network requests — pixel fires, beacon calls, API requests to third-party domains
How it works
- Headless browser launch — Chrome headless visits your URL
- Pre-consent scan — all network activity is captured with no consent given (simulates a new visitor)
- Consent simulation — scanner accepts all consent and captures the additional scripts that load
- Post-processing — findings are matched against the vendor library
- Report generated — unmatched findings flagged for manual review
Scanner vs. real visitors
The scanner simulates a visitor but cannot replicate every scenario:
- A/B tests may show different scripts to different visitors
- Scripts loaded after user interaction (scroll, click) may not be detected
- Server-side tracking is not detected (only browser-side)
For complete coverage, use scheduled scans to catch variations over time.
What happens with findings
Each finding is either:
- Matched — automatically linked to a vendor in your library
- Unmatched — needs manual review and assignment
Unmatched findings appear in Property → Vendors → Unassigned Findings.
Scanner and GDPR
The scanner itself does not set any cookies on real visitors — it only runs on ConsentForge's infrastructure. Scan results are stored in your ConsentForge account and are not shared.