CDPConsentExperimentationGuidesSupport

What the Scanner Detects

The third-party scripts, privacy keywords, cookies, and CSP gaps the Web Scanner surfaces on each scan.

What the Scanner Detects

Use this page to understand what each scan surfaces about the third-party code running on your site.

Third-party scripts

On every page it visits, the scanner detects the third-party scripts and stylesheets your site loads and records where they came from. This gives you a running inventory of what executes on your pages.

Privacy keyword detection

The Web Scanner automatically inspects the content of third-party JavaScript and CSS files loaded on your pages. It flags resources that contain privacy-sensitive patterns, giving you visibility into what data third-party scripts may be collecting or processing.

Detected keywords are grouped into the following categories:

  • Ad platform identifiers: Click IDs and tracking parameters used by advertising platforms.
  • Tracker brands: References to well-known analytics and tracking services.
  • Cookie and storage patterns: Known tracking cookie names and storage keys commonly used for cross-site identification.
  • Data collection APIs: Browser APIs used to send or store data.
  • PHI-related terms: Keywords that may indicate protected health information handling.

When a third-party resource contains one or more of these keywords, a Privacy Data badge appears on its row in the Resources tab. Expanding the row reveals the specific keywords that were found.

This helps you quickly identify which third-party scripts warrant closer review from a privacy and compliance perspective.

Cookies and local storage

The scanner collects the cookies and localStorage identifiers set by third-party scripts and services on your pages, so you can see which integrations are storing identifiers in your visitors' browsers.

CSP analysis

The Web Scanner captures and analyzes the Content Security Policy (CSP) headers returned by each hostname it visits. CSP headers tell browsers which domains are allowed to load scripts, stylesheets, images, and other resources on your pages.

The CSP tab in the scan results shows:

  • Per-hostname CSP status: Whether each hostname returns a CSP header or not. Missing CSP headers are flagged so you know which parts of your site lack this layer of protection.
  • Parsed directives: A breakdown of each CSP directive (e.g., script-src, connect-src, default-src) and the domains it permits.
  • Domains not in CSP: Third-party domains detected during the scan that are not covered by any CSP directive. These represent gaps where your CSP could be tightened to match actual usage.
  • Allowed domains: The full list of domains permitted by your CSP, extracted from all relevant directives.

This analysis helps you identify mismatches between your CSP configuration and the third-party resources actually loading on your site, making it easier to maintain a CSP that accurately reflects your intended integrations.

Next Steps

How is this guide?

How Scanning Works

Previous Page

Managing Scan Results

Next Page

On this page

What the Scanner Detects
Third-party scripts
Privacy keyword detection
Cookies and local storage
CSP analysis
Next Steps