What Is a HAR File?
HAR stands for HTTP Archive. It is a standardized JSON file format that records every network request and response exchanged between a web browser and web servers while loading a page.
Think of it as a complete transcript of the conversation between your browser and the internet — every request sent, every response received, every resource loaded, with precise timing information.
What Does a HAR File Contain?
A HAR file captures the following data for each network transaction:
Request Data
- URL — The exact address requested (e.g.,
https://example.com/page) - Method — GET, POST, PUT, DELETE, etc.
- Headers — Browser identification, cookies, authentication tokens, accepted content types
- Query parameters — Data appended to the URL
- POST body — Data sent with form submissions or API calls
Response Data
- Status code — 200 (success), 404 (not found), 301 (redirect), etc.
- Headers — Server identification, content type, caching directives, security headers
- Body content — The actual HTML, CSS, JavaScript, images, or API data returned
- Size — Both compressed and uncompressed content sizes
Timing Data
- DNS resolution time — How long it took to look up the server's IP address
- Connection time — How long the TCP handshake took
- TLS negotiation time — How long the SSL/TLS handshake required
- Time to first byte — When the server began responding
- Content download time — How long the full response took to arrive
Server Information
- IP address — The server's actual network address
- TLS/SSL details — Protocol version, cipher suite, certificate information
Why HAR Files Matter for Evidence
A screenshot shows what appeared on screen. A HAR file proves where it came from. This distinction is critical in legal contexts.
Proving Content Origin
The most common challenge to digital evidence is: "That's fabricated. That webpage never existed." A HAR file defeats this challenge by showing:
- The browser sent a request to a specific domain
- DNS resolved that domain to a specific IP address
- A real server at that IP responded with specific content
- The response traveled over a verified TLS connection
This chain of evidence connects the visual content (what you see on screen) to a real server on the real internet.
Detecting Manipulation
If someone modifies a webpage using browser developer tools before capturing it, the HAR file reveals the discrepancy. The HTML received from the server (recorded in the HAR) will not match the modified DOM. This mismatch is a red flag for tampering.
Establishing Timeline
HAR timing data shows exactly when each network request occurred, with millisecond precision. This provides a granular timeline that corroborates the capture timestamp.
Identifying Third-Party Content
Modern web pages load resources from multiple servers — CDNs, analytics services, advertising networks, social media widgets. The HAR file documents all of these connections, providing a complete picture of the page's composition at the time of capture.
Reading a HAR File
HAR files are JSON-formatted, making them both human-readable and machine-parseable. Here is a simplified example of a single entry:
{
"startedDateTime": "2026-01-25T10:30:00.000Z",
"request": {
"method": "GET",
"url": "https://example.com/post/12345",
"httpVersion": "HTTP/2.0"
},
"response": {
"status": 200,
"statusText": "OK",
"content": {
"size": 45230,
"mimeType": "text/html"
}
},
"serverIPAddress": "93.184.216.34",
"time": 245
}
This single entry shows that a request was made to example.com on January 25, 2026, the server at IP address 93.184.216.34 responded with an HTML page of 45,230 bytes, and the entire transaction took 245 milliseconds.
HAR Files in TrueSnap's Evidence Package
When TrueSnap captures a web page, the HAR file is one of six components in the evidence package. It works in concert with the other evidence files:
- Screenshot (what the user saw) + HAR (proving it came from a real server) + DOM snapshot (the complete page structure) + TLS certificate (verifying the server's identity) + metadata (capture environment details) + forensic certificate (human-readable summary)
Together, these files create a multi-layered evidence chain that is far more robust than any single component alone.
Practical Uses
For Attorneys
When presenting digital evidence, the HAR file answers the inevitable question: "How do we know this is real?" Point to the network log showing real DNS resolution, real server responses, and real TLS negotiation — not something that could be produced by editing a local file.
For Investigators
HAR files can reveal hidden connections. A webpage that appears to be an independent site may load resources from known fraudulent servers, revealing the actual infrastructure behind a scam.
For Compliance Teams
When documenting regulatory violations on websites, HAR files provide the technical proof that specific content was served by specific servers at specific times — meeting the evidentiary standards that regulators require.
Key Takeaway
A screenshot shows what something looked like. A HAR file proves it was real. In any legal or investigative context where the authenticity of web content is at stake, HAR files provide the network-level evidence that transforms a visual capture into verified proof of what a server actually delivered to a browser.