Adding controls to Google Tag Manager
This page was originally created on and last edited on .
Some would recommend never using a tag manager for these reasons, and on certain sites or pages that makes total sense. However the reality is that marketing is a large part of most businesses so while that might be the right technical answer to address security and performance issues, it often is not a realistic one and web developers who try to argue that, often fail. In this post I want to explain some options as to how to add some control back to GTM usage to reduce the risks inherent in them, without going to the extreme of disallowing them completely. This post is about Google Tag Manager but much of the advice will apply to other tag managers, or even those placing tags on their pages manually. I am less familiar with other tag managers so don't know if they offer the same functionality as GTM, so some of these tips may not be possible with them, or they might allow other ways of adding back control.
One thing I'm going to stay completely out of in this post, is the whole ethics of tracking people on the internet and the problems with third party cookies...etc. There are valid privacy concerns and points to be made in those areas, but I'm ignoring them for this post. As I said previously, the reality is that many websites use marketing tags, and tag managers to manage them, and this post is only intended to show how website owners and developers can add some more control to them while still giving the ability to use them. If you can take marketing tags off your website completely, and don't need GTM, then great for you and no need to read further, but for those of us interested in security and performance who are concerned about GTM, but have to use it, then this post should help you feel a little more comfortable with them.
Security risks can also be more accidental in nature. GTM allows you to grab information off the page. So you could say get the Country of the purchaser, which is the 5th field on the checkout form and send that in the tracking tag. Then if the tag is called on a wrong page, or the checkout form is redesigned, then suddenly you could be grabbing the credit card details or other highly sensitive data and sending it to a marketing partner. That could lead to all sorts of PCI or GDPR or other local legislative problems, fines, and reputational damage! All because GTM gives full access to the page.
Even if there are no security risks (and there definitely are!), marketing tags can have a serious performance impact on your site. Web developers can spend a huge amount of time carefully crafting performant code which loads super quickly, and that's blown away with hacked together marketing tags jumping in at the beginning, and then using up all the processing power the browser has. This is especially relevant with more and more browsing happening on mobile devices often with limited network capabilities and potentially less processing power (not everyone runs the latest high powered iPhone!).
You can measure the impact of this yourself or use a tool like speedcurve.com to measure this, but it is a serious problem. The sheer amount of tags, and the impact they have can be eye opening! Below screenshots show a site I worked on, that was loading almost 4 times as much third party content as first party content and that once we'd cleaned it up total load times dropped to a third, and was a lot less variable:
Breaking your Site Concerns
Can you add control to GTM?
OK so what can we do about all this? Many web developers or IT departments feel powerless to address their legitimate tag manager concerns. When they raise them, they are overruled or just ignored. However I believe this is just another problem to solve, and one side asking to turn it off and the other side refusing to, is ignoring the problem instead of solving it. There are things you can do if you work with the marketing team to make both of you happy while also not limiting them from doing their jobs. You will have a much higher chance of success if you limit the impact of any controls, rather than trying to insist on a lockdown they will not agree to. Gareth Clubb from the Telegraph recently publish a fantastic post about setting a performance culture up their company and breaking down silos. Reading this prompted me set up a regular forum with the marketing team at work again, after we'd let this lie for a bit after the last clean up. We had put a lot of work into solving this problem a year or so after a spate of skimming attacks on websites were in the news - not ours thankfully, we werejust being proactive here! I'd been meaning to write this blog post since then, to help others in our situation. There are sensible changes you can make, without blocking tags or GTM completely. What follows is a list of 12 actions you can undertake to bring some control to GTM and your marketing tags, and when we put them in place I certainly felt a lot more comfortable with having the necessary marketing tags on our website.
Tip 1 - Own your GTM Account
Often marketing agencies will set up a GTM container for your site under their GTM account. While trying to be helpful, this should be a moved to a GTM account that is owned by the website owner and not the marketing agency. This then allows you to set up appropriate permissions. Without owning this yourself, it is impossible to lock down administrators (covered next) or even move to another marketing agency if you want. Luckily GTM makes this very easy to transfer. In settings the whole container can be exported from one account, and then imported into another account. This will give you a new GTM container id (GTM-XXXXX) so will require updating all your web pages to reference this container id instead of the old one.
Also if you manage several sites, even if related and under the same parent brand, you should set up a separate container ids for each. We used to have one container id for multiple sites, but it made it more difficult to see if tags were used, and meant people had access to sites they didn't need to. Split them out. In a similar manner to migrating to different accounts, you can export the shared GTM container and upload to a new container for the second site, and then delete the tags, triggers and variables not needed for that site.
Tip 2 - Set Appropriate User Access Permissions for GTM
One of the most important things you can do to bring control to GTM, is to ensure only the appropriate people have access to it. GTM has a good user management model, with the ability for everyone to have their own account and then permissions. Permissions can be set at the account level and the container level. Account level permissions are basically Users, or Administrators (who can add other users). External partners, and non-technical users should only be Users and never Administrators. This is one reason for Tip 1.
Container level permissions can be one of four settings:
- Read: This is read-only access.
- Edit: This allows most edits and changes to be made, but not actually published to the site.
- Approve: This confusingly named permission cannot actually approve content to be published, but instead allows create of container versions, which can then be published.
- Publish: This permission is what actually allows you to publish changes to the website.
How you use these permissions is up to you. What probably makes most sense for some companies who use marketing agencies is to allow the agencies have Edit or Approve permissions, and then have someone in your company actually review and publish the change. This should really be someone in IT because of the power of GTM, but if you lock this down further with some of the other suggestions, you may be comfortable for marketing to publish tag additions themselves.
Tip 3 - Audit user access regularly
It should go without saying that you should regularly audit user access to remove people and agencies who have left their roles. It should go without saying, but it needs to be said, as it's far too easy to forget to do this. Again depending on how you use GTM, it may give full access to your website, so that access should be controlled, and that includes removing access when people no longer require it.
Tip 4 - Clean up unused tags regularly
It is entirely possible (likely even!) that you will have legacy tags that may not even be needed any more. Work with your marketing department and agencies to clean them up. This may be painful, it may take a long time, but will have the biggest impact and make subsequent steps easier. The above graphs show the huge gains that can be made - mostly from simply not running tags we weren't even using anymore. Also remove unused Triggers and Variables regularly. The less that is in GTM, the easier it is to maintain.
Tip 5 - Categorise your tags
When cleaning up your tags, you probably came across tags that you couldn't find out where they came from or why they were added. Use Folders in GTM to categorise all Tags, to an owner, to make this job easier in future. You'll thank yourself for it. If you can't find why a tag is on your page, and no one owns jup to it, then you can Pause that tag until you find an owner. If no one comes forward, then that's one more tag you've cleaned up :-) Folders will make this easier in future so you can go directly to the owner to confirm if it's still being used.
Tip 5 - Review when triggers fire
Tip 6 - Review GTM pages
Do you need GTM on all pages? Or can you remove it from more security sensitive pages? Is your Login Page where people enter passwords, for example one, that marketing really cares about or could they live without it? Of course if you login through a component that is on every page, then that may not be an option. Similarly pages where people enter personal details, or payment information maybe could live without GTM - though if part of a Single Page Application, as many Checkout flows are, then again this may not be possible to restrict as the Checkout flow is probably one of the key pages you want GTM for. Still, it's worth reviewing and asking if it's needed on every page.
Tip 7 - Push data to the GTM Data Layer
To push items to the data layer will require code changes to your web page, but assuming you are willing to do that it's relatively simple. For static server, side generated pages, you can set these before loading the GTM tag on the page:
For dynamic client-side applications you can use code like below to push variables:
GTM can then assign GTM variables from the Data Layer, or can even listen for Data Layer changes with a CustomEvent trigger.
Tip 8 - Investigate pixels as an alternative to tags
Now you may be against passing user specific data in the URL, as it's kind of against what you've been taught before however a lot of those concerns don't really matter when it comes to image pixels (they aren't seen in the URL bar, won't be bookmarked, won't be in history, won't be printed), and as long as you're using HTTPS (you are using HTTPS aren't you?), then the only party who should get this data or see it in their weblogs is the advertising company. Plus, other than an advertising id, you really, really, really shouldn't be sending personally identifiable data to an advertising agency so if you've concerns about anything that shouldn't go in a GET request then you've got to question whether that's data for an advertising agency!
Initially you are advised to call the following code:
However you can just call the noscript part for the same Tracking, though when doing this Facebook recommends dropping the noscript=1 part:
But this can again be replaced by again just loading an image with the appropriate params:
And in the same way, clicking on a button you want to track normally requires calling the fbq function:
But since GTM allows you to track click events, you can use that as a trigger and then just call yet another image:
Facebook do note the following limitations with this:
Please note that pixels installed using an <img> tag have the following limitations:
- Cannot be fired multiple times on each page load
- Cannot track standard or custom events triggered by UI interactions (e.g., a button click)
- Subject to HTTP GET limits in sending custom data or long URLs
- Cannot be loaded asynchronously
Tip 9 - Restrict GTM tags
This says we don't allow GTM to usde the following:
- html - Custom HTML - which can be used to inject inline <script> tags
- d - variables to access DOM Elements
And a good thing about this is that these restrictions are set on the page - it is not a setting inside GTM, so it's not something that can be reversed, unless you have access to edit the GTM loading code on the page. And of course if you don't trust those that have access to edit the page, then all of this GTM lock down is pointless anyway :-)
Tip 10 - enable 2-step login verification for certain operations
Tip 11 - Secure your cookies
Tip 12 - Implement a Content Security Policy
Content Security Policy (CSP) is a way for you, as a website owner, to tell the browser what items or sources of item, you are going to allow on your website. It's similar in concept (though a lot more complex!) to the GTM restrictions we talked about above. You whitelist content types and domains that are allowed, and if the page tries to load content from somewhere else, that you have not whitelisted, then the browser will block it. This means if you GTM gets compromised and tries to load content from evilhackers.com, or one of the third party tags you load gets compromised and tries the same, then CSP can protect you. Setting up a CSP is quite complex, and beyond the scope of this post, but it offers strong protections for a website - especially when you allow third party content into your site (like tag managers do) and so are inherently in greater need of the protections it offers.
The downside to implementing a CSP with GTM is that tags do change. You whitelist hotjar.com, and then they decide to change their script to load hotjar.io. Seriously - they did that recently and were blocked by our work site (though at least, unlike most, Hotjar publish details of what you need in your CSP). Anyway when things change, that means you need to update your CSP. Similarly if marketing use another tag for the first time, you might need to whitelist another domain.
The final issue with CSP is that Google Tag Manager uses two inline scripts in preview mode. If you add a CSP which does not allow unsafe-inline in your script-src (which you should not allow!), then you cannot use preview mode - which is quite annoying as this is very useful and reduces the ability to test GTM changes. content-security-policy.org gives the other policys needed when using GTM with a CSP
Tag managers are widely used, and GTM is king oif the tag managers at the moment. This is because they are useful for managing marketing campaigns on websites, but they do introduce risks to a website - particularly for introducing security problems, or hindering the performance of a website. This blog post has detailed some ways to reduce those risks. As I've stated several times here, these tips will not reduce the risk completely and some will be uncomfortable with the whole concept of tag managers and tracking tags. That is entirely understandable and I am not suggesting adding these changes will alleviate all those concerns. I'm simply trying to offer ways to use them better for those that do choose to use tag manager. Hopefully some of you will find this post useful and can add more security to your websites, and also improve your performance while you are at it.
Finally, there are a number of changes I would like to see those in the industry make to help make all this easier:
- Marketing firms to be aware of CSP: publish the CSP requirements for your product, don't depend on insecure options, and stop moving domains around without notice!
- Google to make GTM compatible with CSP in Preview Mode.
So if you're a marketer (orn Google) and have any influence on these, then please consider these next time you are implementing a tag for companies to use!
Have any comments or any other tips to improve GTM? Let me know below!
Want to read more?
More Resources on this subject
- Hackernews thread discussing this article.
- GTM Security settings.
- Facebook Pixel Tracking documentation.
- SpeedCurve - a performance monitoring tool which the screenshots in this post come from.
- Improving third-party web performance at The Telegraph - a fantastic post by Gareth Clubb on how The Telegraph built a performance culture with their business.
This page was originally created on and last edited on .Tweet