LiteStats iconLitestats
← Back to Docs

Tracking Script

A deep dive into how the LiteStats tracking script works under the hood.

How it works

The tracking script (track.js) is a lightweight JavaScript file (under 1 KB gzipped) that runs on your visitors' browsers. It collects basic pageview data and sends it to the LiteStats servers — without cookies, fingerprinting, or any personally identifiable information.

Installation

<script
  async
  src="https://litestats.io/track.js"
  data-site="YOUR_SITE_ID"
  crossorigin="anonymous"
></script>
AttributeRequiredDescription
data-siteYesYour unique site ID (found in Account Preferences → Sites)
asyncRecommendedLoads the script without blocking page rendering
crossoriginRecommendedEnables proper CORS handling

What data is collected

Each pageview sends the following data:

  • Page URL — the path being visited (e.g. /blog/my-post)
  • Referrer — where the visitor came from (e.g. google.com), or "direct"
  • UTM parameters — campaign tracking tags from the URL (utm_source, utm_medium, utm_campaign, utm_term, utm_content)
  • Session ID — a random UUID stored in sessionStorage (not a cookie, resets when the tab closes)
  • Timestamp — when the pageview happened
  • User agent — used server-side to derive browser, OS, and device type (not stored raw)

What is NOT collected

  • No IP addresses are stored
  • No cookies are set
  • No browser fingerprinting
  • No personal data (name, email, etc.)
  • No cross-site or cross-device tracking

Session tracking

LiteStats uses sessionStorage to generate a random UUID for each browsing session. This ID groups pageviews into sessions but cannot be used to identify a person. It's automatically cleared when the browser tab is closed — there is no persistent tracking.

Bot filtering

All incoming requests are checked against a comprehensive list of known bots, crawlers, and headless browsers. Bot traffic is silently discarded and never recorded, so your analytics only reflect real human visitors.

Performance impact

  • The script is under 1 KB gzipped
  • Loads asynchronously — does not block rendering
  • Makes a single lightweight API call per pageview
  • No impact on Core Web Vitals or Lighthouse scores

Content Security Policy (CSP)

If your site uses a Content Security Policy, add the following directives:

script-src 'self' https://litestats.io;
connect-src 'self' https://litestats.io;

Single Page Applications (SPAs)

The tracking script automatically detects client-side navigation using the History API. It will track route changes in frameworks like Next.js, React Router, Vue Router, and similar without any extra configuration.

Tip: You can verify the script is working by opening your browser's DevTools → Network tab and looking for requests to litestats.io/api/collect.