# What data does the recorder capture? Both the **Chrome extension** and the **cloud VNC recorder** capture the same data from your site. The VNC recorder captures additional data that the extension cannot access. ## Request data Every HTTP request your site makes is captured: - **Method** — GET, POST, PUT, DELETE - **URL** — full URL including query string - **Headers** — all request headers (Accept, Content-Type, Authorization, Cookie, custom headers) - **Query parameters** — URL-decoded key/value pairs - **POST body** — full request body (form data, JSON, multipart) - **Form fields** — parsed from POST bodies and extracted from the page DOM (input, select, textarea elements with name, value, type, label, and select options) ## Response data Every HTTP response is captured: - **Status code** — 200, 301, 302, 404, 500, etc. - **Headers** — all response headers (Set-Cookie, Content-Type, CORS, CSP, HSTS, X-Frame-Options) - **Response body** — full HTML, JSON, or XML content (up to 512KB per response) - **Content type** — MIME type - **Timing** — DNS resolution, TCP connect, TLS handshake, time to first byte, total elapsed - **Size** — wire transfer size in bytes ## Page data After each page navigation, the recorder reads the live page: - **Page title** — `document.title` - **Page heading** — first `

` text - **All form fields** — every input, select, and textarea on the page with labels, types, options, and hidden state - **Page structure** — links, forms (action + method + field count), meta tags, page type classification ## Enrichment (automatic analysis after recording) After you stop recording, the same analysis engine runs on both extension and VNC recordings: ### Correlations Dynamic values that change between requests are automatically detected: - **CSRF tokens** — `RequestVerificationToken`, `__RequestVerificationToken`, `_token` - **Session cookies** — values from `Set-Cookie` that reappear in subsequent requests - **Dynamic redirects** — `Location` header values used in follow-up requests - **JSON values** — dynamic IDs or tokens in API responses reused later ### Data requirements Form fields are classified to determine what test data you need: - **Input fields** — name, email, NHS number, date of birth, postcode, etc. - **Radio/select fields** — choice fields with their options - **CSRF/hidden fields** — auto-correlated, no test data needed - **Suggested CSV columns** — each field gets a suggested column name and data type ### Assertions Automatic checks generated for each step: - **Status code** — expected HTTP status (e.g. 200) - **Page title** — expected title text - **Page heading** — expected H1 text - **Negative patterns** — checks that error messages don't appear ("session expired", "an error has occurred", "something went wrong") ### Fingerprints Each page is fingerprinted by its heading and form fields. This drives: - Page-type matching between recordings - Definition JSON generation for the test builder - Duplicate page detection ## VNC-only extras The cloud VNC recorder has full browser control and captures data the extension cannot: - **Cookies** — full cookie jar including `httpOnly` cookies (the extension's JavaScript cannot read these) - **Performance timing** — Navigation Timing API metrics: DOM content loaded, load complete, DOM interactive, TTFB, transfer size - **TLS security state** — protocol version, cipher suite, certificate validity - **Page analysis** — complete link graph, form inventory, meta tag map ## Security and pentest data All captured data is available for security analysis: | Data point | Where it's stored | |---|---| | Authentication tokens | Request headers (`Authorization`, `Cookie`) | | CSRF tokens | Form fields + correlation detection | | Session cookies | Cookie snapshots (VNC) + Set-Cookie headers | | Password fields | Form fields (classified as `password` type) | | Response headers (CSP, HSTS, X-Frame-Options) | Response header map | | TLS configuration | Security state (VNC only) | | Error responses with stack traces | Response body snippets | | Redirect chains | Request/response pairs with `redirectLocation` | | API responses with sensitive data | Body snippets for all XHR/Fetch responses | ## Parity guarantee Both recording methods produce identical output for the same site walk. The enrichment engine (correlations, data requirements, assertions, fingerprints) is a single JavaScript codebase shared between both paths. A regression test suite (36 tests) verifies field-by-field parity on every build.