Shynet — Privacy-Friendly Web Analytics Without Cookies or JavaScript

Introduction

Shynet is a self-hosted analytics platform that gathers meaningful visitor data without using cookies, JavaScript tracking scripts, or collecting personal information. It works via a transparent tracking pixel, making it compliant with privacy regulations by design while still providing useful traffic insights.

What Shynet Does

• Tracks page views, sessions, and referrers without client-side JavaScript
• Uses a 1x1 pixel image for tracking that works even with JS disabled
• Provides geographic, browser, and device breakdowns from request headers
• Calculates session duration and bounce rates using server-side heuristics
• Supports multiple sites with separate dashboards and access controls

Architecture Overview

Shynet is a Django application backed by PostgreSQL. Tracking works via an ingress endpoint that logs HTTP request metadata (IP hash, user-agent, referrer) when browsers fetch a transparent pixel image. Session stitching happens server-side using time-windowed IP+UA fingerprints without storing raw IPs. The dashboard renders real-time and historical analytics from aggregated data.

Self-Hosting & Configuration

• Deploy via Docker Compose with PostgreSQL included in the stack
• Configure environment variables in .env for domain, SMTP, and secret key
• Supports running behind a reverse proxy; set ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS
• Create services (tracked sites) via the admin panel; embed the pixel in your site's HTML
• Optional JavaScript snippet available for enhanced session tracking when preferred

Key Features

• No cookies required; fully GDPR-compliant without consent banners
• Works with ad blockers since it uses first-party image requests instead of JS
• Primary and collaborative access levels for team-based analytics sharing
• API access for programmatic data retrieval and custom reporting
• Lightweight tracking pixel adds zero page load overhead

Comparison with Similar Tools

• Plausible — JavaScript-based lightweight analytics; Shynet works without any client-side scripting at all
• Umami — Cookie-free but still requires JavaScript; Shynet's pixel approach works even with JS disabled
• Matomo — Feature-rich but heavy; Shynet is minimal and focused on privacy-first design
• GoAccess — Log-based analytics from existing server logs; Shynet provides a real-time dashboard with session tracking beyond raw log parsing

FAQ

Q: How accurate is tracking without JavaScript? A: Page views are highly accurate since the pixel fires on every page load. Session duration is estimated using heuristics and may be less precise than JS-based timing.

Q: Does Shynet store IP addresses? A: No, IPs are hashed for session grouping and never stored in raw form. The hash is rotated daily to prevent long-term tracking.

Q: Can I use both the pixel and JavaScript tracking? A: Yes, Shynet offers an optional lightweight JS script for enhanced metrics like session duration, while the pixel serves as the fallback.

Q: How do I add tracking to my site? A: Embed an img tag pointing to your Shynet ingress URL on each page. The pixel is a transparent 1x1 GIF that loads instantly.

Sources

• https://github.com/milesmcc/shynet