Setup Assistant
When you add a site, LiteConsent runs an automatic scan that detects common cookies, sets up categories, and generates banner text. This covers the basics, but automated crawlers have blind spots: they can't log in, click buttons, or trigger interactive elements. The Setup Assistant picks up where the automatic scan left off. It watches you browse your own site and discovers everything the crawler missed, building a config tailored specifically to your site with only the rules you actually need.
How this differs from automated crawlers
Most cookie consent tools use automated crawlers to scan your site. A crawler visits your pages as an anonymous bot, follows links, and records what it finds. This approach has fundamental blind spots:
Traditional crawlers miss
- Pages behind login or paywall
- Cookies set during checkout or form submission
- Scripts loaded by user interaction (video plays, chat widgets opening)
- A/B test variants and feature flags
- SPA routes that only exist client-side
- UTM campaign cookies from referral links
- Third-party embeds that load conditionally
Interactive discovery catches
- Everything a real visitor would trigger
- Cookies from authenticated sessions
- Scripts injected dynamically by other scripts
- All SPA navigation and client-side routes
- Context: which page and action triggered each cookie
- Static vs. dynamic script insertion mode
- Frequency: how often each cookie appears across pages
The Setup Assistant watches a real browsing session, so it sees exactly what your visitors see. If a cookie only appears after login, it captures that. If a script loads when someone starts a video, it captures that too.
There's another key difference. Other consent tools ship a massive blocking library that contains rules for thousands of known trackers, whether your site uses them or not. This bloats your page weight and can cause false positives. LiteConsent takes the opposite approach: the Setup Assistant discovers only the scripts and cookies that are actually on your site, and creates a lean config with only the rules you need. Your consent script stays small, fast, and precise.
How it works
-
1
Start a scan session
In the Setup Assistant tab, click "Start scan". LiteConsent creates a 30-minute session and generates a special URL for your site with a one-time token. This session is private to you: your live site is not affected, and other visitors see nothing different.
-
2
Open the scan URL
Open the generated link in a new browser tab. The URL contains a token as a query parameter. Your already-installed LiteConsent snippet detects this token, verifies it with the server, and loads a lightweight scan script for this session only. No extra installation is needed: if you already have the LiteConsent
c.jsandlc.jsscripts on your site, the scan works automatically. A small floating widget appears in the bottom-right corner showing live discovery counts. The scan script observes cookies being set and third-party scripts loading. It does not block, modify, or interfere with anything on the page. Only your browser tab with the special URL runs the scan; all other visitors see your site as usual. -
3
Browse your site
Navigate through your site as a real visitor would. Visit key pages, log in, interact with forms, play videos, open chat widgets. The debug script continuously captures every new cookie and third-party script it encounters. You can mark meaningful steps (like "logged in" or "checkout") using the widget's "Mark step" button.
-
4
Review and submit
Click "End scan" in the widget. A modal shows everything discovered: cookies and third-party integrations, organized by type and category. You can remove false positives before submitting the report.
-
5
Automatic analysis and setup
LiteConsent analyzes the report and classifies each cookie and script. It automatically creates cookie records with descriptions, resource rules for dynamic scripts, and integration recommendations for scripts in your HTML that need manual changes.
What gets captured
| Data | Details captured |
|---|---|
| Cookies | Name, page where first seen, step/action that triggered it, how many pages it appeared on. The script parses document.cookie to extract names but immediately discards values. Cookie values are never stored or transmitted. |
| Scripts | Source URL (host and path), whether it was in your HTML (static) or injected by another script (dynamic), vendor name if recognized, page where found. |
| Iframes | Same as scripts. Detects embedded content like YouTube videos, social media widgets, and payment forms. |
| Steps | Named milestones you mark during browsing (e.g., "logged in", "checkout"). Also auto-detected: SPA navigation via History API pushState/replaceState. |
Marking steps
The floating widget has a "Mark step" button that lets you label what you're doing at any point during the session. This creates a timeline of your browsing session and helps identify which actions trigger which cookies.
Steps are also auto-detected when you navigate between pages. In SPAs, the script hooks into the History API (pushState and replaceState) to track client-side route changes. Every page you visit becomes a step in the timeline. Data persists in sessionStorage, so nothing is lost when you navigate between pages.
Scenarios to cover during a scan
To get the most complete picture of your site's cookies and scripts, walk through these scenarios during your scan session:
Homepage and main pages
Visit your homepage, about page, and main content pages. This captures analytics scripts, fonts, CDN resources, and any third-party widgets that load on every page.
Login and authenticated areas
Log into your site and browse pages that are only visible to authenticated users. Many cookies are set during login (session cookies, user preferences, personalization). Mark "logged in" as a step.
Forms and checkout
Fill out a contact form, start a checkout process, or complete a purchase. Payment processors (Stripe, PayPal) and form tools (Typeform, HubSpot) set cookies during these flows.
Embedded content
Play an embedded YouTube video, open a social media widget, or interact with a map. These third-party embeds load iframes and scripts only when activated.
Chat and support widgets
Open your live chat (Intercom, Crisp, Zendesk). Chat widgets often load scripts and set cookies only when the chat bubble is clicked.
Different entry points
Try visiting a page with UTM parameters (e.g., ?utm_source=google) to capture campaign tracking cookies. Visit a referral link if you have one.
What gets auto-created
After you submit the scan report, LiteConsent analyzes every discovered cookie and script against its database and creates a config tailored to your site. Three types of records are generated:
Cookie records
Each discovered cookie is classified into a category (analytics, marketing, preferences, social) and added to the appropriate cookie category with a description, provider name, and estimated duration. These appear in the Categories tab and in your cookie policy page.
Resource rules
For scripts that are injected dynamically (by other scripts, not in your HTML source), LiteConsent creates resource rules that automatically block them until consent is granted. These scripts can be intercepted at runtime without any changes to your code. Rules appear in the Rules tab.
Integration recommendations
For scripts written directly in your HTML source code (static scripts), LiteConsent cannot block them at runtime because they execute before the consent script loads. Instead, you get specific HTML change recommendations: add type="text/plain" and data-consent="analytics" (with the appropriate category for each script) to each script tag. The Setup Assistant shows the exact before/after HTML for each change.
All generated records are fully editable. You can review and adjust cookie descriptions, categories, and resource rules in the Categories and Rules tabs before publishing. For static scripts that require HTML changes, the Setup Assistant provides exact before/after code snippets so you know precisely what to update in your templates.
Static vs. dynamic scripts
The Setup Assistant distinguishes between two types of script insertion, because they require different remediation. Note: blocking is performed by the production consent script (lc.js) after you complete the setup, not by the scan script during discovery.
| Type | How it loads | Remediation |
|---|---|---|
| Static (in HTML) | Written in your HTML source code. Executes immediately when the browser parses the page, before the consent script can intercept it. | Requires manual HTML change: add type="text/plain" and data-consent |
| Dynamic (injected) | Added to the page at runtime by another script (e.g., GTM injects analytics tags). The production consent script patches appendChild and insertBefore to check new script and iframe elements against your resource rules before they execute. |
Automatic: a resource rule in the Rules tab blocks it until consent. No code changes needed. |
Vendor recognition
LiteConsent maintains a comprehensive database of known third-party services. Popular vendors like Google Analytics, Meta Pixel, TikTok, Hotjar, and Stripe are recognized instantly during the scan, giving you immediate context about what each script does. After you submit the report, the server-side analysis classifies every remaining cookie and script, including lesser-known or custom vendors, and assigns the correct category and description.
Scripts managed by Google Consent Mode v2 (Google Analytics, Google Ads, GTM) are handled separately. These scripts adjust their own data collection based on consent signals sent by LiteConsent, so they don't need to be blocked. The Setup Assistant recognizes them and skips them when generating resource rules and integration recommendations.
Privacy and security
Cookie values are never stored or transmitted
The scan script parses document.cookie to extract cookie names, but immediately discards the values. Only names are recorded. Sensitive data like session tokens, authentication cookies, and user identifiers never leave your browser.
URLs are sanitized
Query parameters are stripped from script URLs before analysis. No tracking IDs, tokens, or personal identifiers leave your browser.
Session-scoped and time-limited
Scan sessions expire after 30 minutes. The token is one-time-use and stored hashed in the database. If the session expires before you finish, start a new scan from the dashboard. Your discoveries are kept in sessionStorage until you submit or close the tab, but the server will not accept reports for an expired session.
Read-only operation
The scan script only observes. It does not modify your site, block scripts, set cookies, or alter page behavior in any way. Blocking is handled separately by the production consent script after you complete the setup.
Next steps
After the Setup Assistant has created your cookie records and rules:
- Review and fine-tune your cookie categories and their descriptions.
- Customize your banner design to match your site's look and feel.
- Verify your installation and activate the banner in the General tab.