lite-hits.js is a wrapper around hits.sh.
It adds simple client-side logic (sessions, unique users, engagement) on top of the basic hit counter.
<img> with a src like
https://hits.sh/<currentLocation>/<pageloadKey>.svg.
Loading this SVG increments the counter on hits.sh.
sessionStorage → counts unique visits per browser session.localStorage → counts unique visitors per browser/device.engagementDuration (in milliseconds, e.g. 10000 = 10s).
Only if a visitor stays that long will the script trigger another hits.sh request, counting them as “engaged.”
⚠️ Disclaimer:
lite-hits.js itself is fully transparent — you can read exactly what it does.
It only decides *when* to send a counter request. All actual counting is handled by hits.sh.
The service is open-source, and its author explicitly states
they do not harvest IP addresses.
However, like any external service, you must ultimately **trust their backend** — we cannot independently guarantee how requests are handled.
In short: the wrapper cannot track you, and you don’t need to trust it — you can verify the script yourself. Whether you trust hits.sh is your own decision.
Drop this script into your page and configure what to count:
<!-- You can access window.hitsh = {pageloadCount, sessionCount, localCount, engagementCount}
Each is an object like { img: HTMLImageElement | {}, url: string, key: string } -->
<script src="./lite-hits.js"
litehits-basePath="analyticsurl"
litehits-globalAs="hitsh"
litehits-count='{
"pageloadKey": "pageLoaded",
"sessionKey": "sessionCounted",
"localKey": "localCounted",
"engagementDuration": 10000
}'></script>
lite-hits.js is designed to be minimal and avoid invasive tracking,
but you can take extra steps to limit what information hits.sh gets:
basePathbasePath, but make it look like a url (add a .)
also check if the string qualifies as a url and is not use by anyone from hits.sh's website.lite-hits.js already sets referrerPolicy="no-referrer",preventing your page’s URL from leaking in HTTP headers.
basePath, some data always goes to hits.sh:
| What is sent | What we know | What it can be used for | Mitigation |
|---|---|---|---|
| IP address | They claim not logged | Geolocation, unique visitor count | use trusted VPN / Tor / proxy |
| Timestamp | Logged by server | Activity patterns | consider batch/proxy requests |
| User-Agent | They claim not logged | Fingerprinting: OS, browser, device | Privacy browser / UA spoofing |
| Accept headers | Sent by browser | Minor fingerprinting | Privacy browsers |
| TLS / connection metadata | Sent by browser | Fingerprinting via cipher, TLS version | Tor / privacy VPN |
lite-hits.js to send requests to your own endpoint instead of hits.sh - but you probably won’t even need it.
The key point is: with self-hosting, you decide what to log (or not log), and you must consciously choose not to collect data.
⚠️ Disclaimer:
hits.sh explicitly claims to be "Privacy First" and they don't track any personal information.
But, their landing page seems to use other analytics tools (e.g., Google Analytics), which you can confirm in your browser's network inspector.
Don't take it as fact instead check it!