How do I tell if a website uses Hotjar?

Open DevTools, go to the Network tab and reload — Hotjar loads its script from static.hotjar.com (a file referenced like hotjar-SITEID.js), and that request is close to definitive. You can also open the Console and type typeof hj; if it returns 'function', Hotjar's global is present. Checking Application > Cookies for _hjSession or other _hj* cookies confirms it too. Any one of these signals identifies Hotjar quickly.

What is the hj() function and the _hj cookies?

hj() is the global JavaScript function Hotjar's snippet defines to queue its tracking and recording commands — so typing typeof hj in the Console and getting 'function' indicates Hotjar is installed. The _hj-prefixed cookies (such as _hjSession and _hjSessionUser) are the cookies Hotjar sets to manage recording sessions and identify returning visitors. Finding the hj() global or the _hj* cookies is reliable, independent confirmation of Hotjar alongside the script domain.

What other heatmap or session-replay tools should I look for?

Beyond Hotjar and Microsoft Clarity, common tools include Mouseflow (mouseflow.com), FullStory (fullstory.com, an fs.js script and FS global), Crazy Egg (script.crazyegg.com), Lucky Orange, Smartlook and Contentsquare. Each loads from its own recognisable domain and often exposes a global object and provider-specific cookies. So when you do not see Hotjar or Clarity, check the Network tab for these other domains — a comparison table of their fingerprints makes identification quick.

Why would I want to know if a site uses a heatmap tool?

A heatmap or session-replay tool signals that a company actively researches user behaviour and invests in conversion-rate optimisation and UX — a sign of marketing and product maturity. For sales, especially CRO, analytics or competing tools, it identifies the incumbent and a possible switching opportunity. For competitive research, it reveals how seriously a rival studies its funnel. There is also a privacy dimension, since session replay can record user interactions, which is worth noting in any review.

Does a Website Use Hotjar or a Heatmap Tool?

To tell if a website uses Hotjar, open the DevTools Network tab and reload, then look for a request to static.hotjar.com (the script is referenced like static.hotjar.com/hotjar-SITEID.js) — that is close to definitive. Two more checks confirm it: open the Console and type typeof hj (Hotjar defines an hj() global function), or check Application > Cookies for _hjSession and other _hj* cookies. If it is not Hotjar, the same approach names the alternatives — Microsoft Clarity loads from clarity.ms, FullStory from fullstory.com, Mouseflow and Crazy Egg from their own domains. This guide gives a comparison table of the major heatmap and session-replay tools, shows how to detect each, and covers the privacy dimension worth noting.

It is a focused companion to how to find out what analytics a website uses and the broader how to find out what technology a website uses, since behaviour-analytics tools are part of a site's measurement layer.

What heatmap and session-replay tools do

Heatmap and session-replay tools are a category of behaviour analytics. Where Google Analytics tells you what happened in aggregate (page views, conversions), these tools show how individual visitors actually behaved: heatmaps visualise where people click, move and scroll on a page; session recordings replay anonymised individual visits; and many add on-site surveys and funnel analysis. Hotjar is the best-known, and Microsoft Clarity is a very popular free alternative, but the category includes FullStory, Mouseflow, Crazy Egg, Lucky Orange, Smartlook and Contentsquare among others. For detection, the useful fact is that each tool loads a client-side script from a recognisable domain, usually defines a global JavaScript object, and sets provider-specific cookies — a stable, identifiable fingerprint. Finding one tells you a company actively researches user behaviour to improve conversion and UX.

Signal 1: Hotjar — static.hotjar.com, hj() and _hj cookies

Hotjar has three clear fingerprints. First, its script loads from static.hotjar.com, with the install snippet referencing a file like static.hotjar.com/c/hotjar-SITEID.js where SITEID is the account's site ID. Watching the Network tab, that static.hotjar.com request stands out. Second, the snippet defines a global hj() function (and a _hjSettings object carrying the site ID) to queue its commands, so in the Console typeof hj returning "function" confirms Hotjar. Third, Hotjar sets _hj-prefixed cookies — _hjSession, _hjSessionUser and others — visible under Application > Cookies. Any one of these is a strong signal; together they are conclusive, and the site ID in the script URL or _hjSettings identifies the specific Hotjar account.

Signal 2: Microsoft Clarity — clarity.ms and clarity()

Microsoft Clarity is a free heatmap and session-replay tool from Microsoft, and it is an increasingly common find. It loads its script from clarity.ms (typically www.clarity.ms/tag/PROJECTID), so a request to clarity.ms in the Network tab names it directly. The snippet defines a global clarity() function, so typeof clarity returning "function" in the Console confirms it, and Clarity sets _clck and _clsk cookies for its tracking. Because Clarity is free and integrates with Microsoft's ecosystem, you will often see it on sites that also run GA4 — it is a low-cost addition to a measurement stack rather than a replacement. Detect it exactly as you would Hotjar: by domain, global object and cookies.

Signal 3: the other heatmap and replay tools

Beyond the two leaders, several other tools have their own clear fingerprints. FullStory — a session-replay-heavy tool — loads from fullstory.com (an fs.js / edge.fullstory.com script), defines an FS global and sets fs_uid-style cookies. Mouseflow loads from mouseflow.com (a cdn.mouseflow.com script) and exposes a _mfq queue. Crazy Egg loads from script.crazyegg.com. Lucky Orange loads from luckyorange.com, Smartlook from smartlook.com, and Contentsquare (enterprise) from its own domain with a _cs global. Each follows the same pattern — a recognisable script domain, often a global object, and provider-specific cookies — so when Hotjar and Clarity are absent, scanning the Network tab for these domains usually identifies the tool quickly.

The comparison table

Tool	Script domain	Global object	Cookies
Hotjar	`static.hotjar.com` (`hotjar-SITEID.js`)	`hj()`, `_hjSettings`	`_hjSession`, `_hjSessionUser`
Microsoft Clarity	`clarity.ms` (`/tag/PROJECTID`)	`clarity()`	`_clck`, `_clsk`
FullStory	`fullstory.com`, `edge.fullstory.com` (`fs.js`)	`FS`	`fs_uid`-style
Mouseflow	`cdn.mouseflow.com`	`_mfq`	`mf_*`
Crazy Egg	`script.crazyegg.com`	`CE2` / CrazyEgg	`_ce.*`
Lucky Orange	`luckyorange.com`	`__lo*`	`__lo*`
Smartlook	`smartlook.com`	`smartlook`	Smartlook cookies
Contentsquare	Contentsquare domain	`_cs`	`_cs_*`

A single matching domain settles the question; the global object and cookies confirm it.

Method 1: the DevTools Network tab

The most thorough method is to watch what loads. Open DevTools (F12), go to the Network tab, and reload. Look for the provider domains in the table above — static.hotjar.com, clarity.ms, fullstory.com, cdn.mouseflow.com, script.crazyegg.com and the rest. Because many of these tools load lazily — after a short delay, on scroll, or when the page is idle, to avoid slowing the initial load — keep watching for a few seconds and interact with the page; the provider request fires when the tool initialises. The Network tab is the most reliable approach precisely because it catches these deferred loads that a quick source view would miss, the same discipline that makes analytics detection dependable.

Method 2: the Console (global objects)

A quick Console check confirms the major tools. Open DevTools and go to the Console, then test for the tool's global object: typeof hj for Hotjar, typeof clarity for Microsoft Clarity, typeof FS for FullStory, typeof _mfq for Mouseflow. A return of "function" or "object" (rather than "undefined") indicates that tool is present and initialised. This method is fast and definitive for the tools you know to test, and it confirms the tool actually loaded in your session rather than merely being referenced. Inspecting _hjSettings (Hotjar) or the equivalent also reveals the account/site ID.

Method 3: View Source and cookies

A static source check is quick for eagerly loaded tools. View the page source (Ctrl/Cmd + U) and search for the provider domains or install snippets — hotjar, clarity.ms, fullstory, mouseflow, crazyegg. Then check Application > Cookies for the provider-specific cookies (_hjSession, _clck/_clsk, and so on), which confirm the tool fired. The caveat is the familiar one: lazily injected tools may not appear in the raw source, so if a source search comes up empty but you suspect a heatmap tool, fall back to the Network tab and Console. The cookie check is a useful tie-breaker because it shows the tool actually set its identifiers, not just that a script was loaded.

A worked example

You want to know whether a SaaS competitor does serious UX research. You load their pricing page, open the Network tab, and after a second or two see a request to static.hotjar.com/c/hotjar-3344556.js — Hotjar, site ID 3344556 captured. You open the Console and type typeof hj, which returns "function", and _hjSettings shows the site ID. Application > Cookies has _hjSession and _hjSessionUser. But you keep looking and also spot a clarity.ms/tag/... request and a clarity() global — so they run Microsoft Clarity alongside Hotjar, perhaps for broader free session capture. A gtag/js?id=G- load shows GA4 is present too. The read: a conversion-focused team running two behaviour-analytics tools plus GA4 — clear evidence they invest in studying and optimising the funnel. Checking beyond the first fingerprint paid off, revealing a richer stack than a single match would.

What a heatmap tool reveals about a company

Finding a heatmap or session-replay tool is a meaningful maturity signal. It tells you the company actively researches user behaviour and invests in conversion-rate optimisation (CRO) and UX — they are not just measuring traffic, they are studying how people use their pages and iterating on it. The specific tool refines the read: free Microsoft Clarity is a low-commitment addition many sites run alongside GA4; Hotjar indicates a deliberate CRO investment; enterprise FullStory or Contentsquare point to a well-resourced product or growth team doing deep behavioural analysis. Multiple behaviour tools suggest a serious, experimentation-driven culture. For CRO, analytics or UX-tool sellers this identifies an incumbent and a switching opportunity; for competitive research it reveals how seriously a rival optimises its funnel. It is exactly the kind of technographic signal that, combined with others, sketches a company's sophistication — the theme of what is technographics.

The privacy dimension

Heatmap and especially session-replay tools carry a privacy dimension worth noting whenever you detect one. Because session replay can record a visitor's interactions — clicks, mouse movement, scrolling, and sometimes form activity — responsible deployments mask sensitive inputs (passwords, payment fields, personal data) and gate the tool behind consent where regulations like GDPR apply. For your detection, the practical consequence is that a consent banner may hold the tool until you accept cookies, so the script and cookies might not fire until you do — interact with the consent prompt before concluding the tool is absent. And from a review standpoint, the presence of session replay is a flag to check that masking and consent are handled properly, since it is one of the more privacy-sensitive things a site can run. Detection sees that the tool is loaded; how carefully it is configured for privacy is a separate question worth raising.

How accurate is heatmap-tool detection?

Highly accurate for the tool itself. Each major heatmap and session-replay tool loads an identifiable script domain, defines a recognisable global object, and sets provider-specific cookies, so naming the tool is reliable across the category. The two things to watch are lazy loading and consent: many of these tools defer their load, so wait and interact before concluding there is none, and a consent banner may hold the tool until you accept. As always, detection sees the client-side tool a site loads — it reliably names the vendor, but it does not reveal how the tool is configured (what is masked, which pages are recorded, how the data is used) behind the scenes. So "which heatmap or replay tool does this site use?" is answerable with confidence; "how is it configured?" is largely invisible from outside. Catch the lazy loaders, handle consent, and report the vendor.

The workflow

Open the Network tab and reload; watch for domains like static.hotjar.com and clarity.ms.
Wait and interact so lazy-loaded tools initialise.
Test globals in the Console — typeof hj, typeof clarity, typeof FS.
Check Application > Cookies for _hj*, _clck/_clsk and other provider cookies.
Handle consent, report the vendor, and note the privacy dimension of session replay.

Go deeper

The wider measurement picture: how to find out what analytics a website uses.
The analytics it sits beside: how to tell if a website uses Google Analytics 4.
The whole stack: how to find out what technology a website uses.
Turn the signal into qualification: what is technographics?

Want the heatmap tool, the analytics stack and full technology picture in one report? Analyse any site with StackOptic — free, no sign-up.

How to Tell if a Website Uses Hotjar or Another Heatmap Tool