It accepts a plain public hostname such as www.ibm.se, opens that site in a headless browser over HTTPS, waits for 10 seconds, and records network requests made during that browser session. It groups results by registrable domain so you can see which first-party and third-party sites were contacted.
It shows normal HTTP and HTTPS requests, query parameters in request URLs, cookies present in the browser session after the run, WebSocket connections opened during the run, and selected browser APIs that page scripts tried to read or use, such as language, screen size, cookies, storage, canvas, WebGL, timezone, media APIs, audio APIs, and WebRTC objects.
It does not guarantee every possible contact or every possible browser signal that a real user session could ever expose. It does not click consent banners, scroll, log in, or simulate long browsing flows. Requests and browser probing that only happen after user interaction, later navigation, or a longer wait may be missed.
It also does not inspect every non-HTTP browser channel. In particular, direct WebRTC peer traffic, browser or extension traffic, and some browser internals are outside the scope of this tool. The browser-signal section is a best-effort log of selected high-value APIs, not a perfect record of every script operation. For safety, the server rejects hostnames that resolve to private, loopback, link-local, or otherwise blocked IP ranges.