-
Maximizing Security: Integrating Google Analytics/Google Ads with CSP
Got any experienced folk here who have worked around the hassle of getting Google Analytics/Google Ads to run with CSP? I’ve been on Stack Overflow reading some stuff and also came across an interesting article. But I’m eager to know if there’s another method. I’ll share about that great article in my reply.
-
2 Replies
-
Sure, I’d be happy to explain it in a simpler way. You see, I found an article that suggested moving Google Analytics’ code to its own file. The file would live on a domain that my Content Security Policy (CSP) already trusts, such as my primary website.
So, I did just that. I took Google’s script, which was initially meant to live directly in my website’s code. I downloaded that script and added a few more lines of code that Google had provided me. Then, I saved this extended script as its own separate file on my website.
To ensure that my website would use this new file, I added a line of code within the head section of my site that references these analytics.
To make sure everything was secure, I updated my CSP policy as suggested in the article.
Finally, I connected Google Analytics 4 to Google Ads using a dedicated feature and set up a conversion goal on Google Ads. A small tip: you need to switch Google Ads to Expert mode for this to work.
And voila! Everything was up and running smoothly. I could see my stats on Google Analytics and monitor conversions on Google Ads. Simple as that!
-
To get Google Analytics (GA) and Google Ads to run with Content Security Policy (CSP), you need to allow specific URIs in your policy directive. These include ‘www.google-analytics.com’, ‘googletagmanager.com’, ‘adservice.google.com’, and ‘googleads.g.doubleclick.net’.
However, handling inline scripts sourced from GA might get a bit challenging. You have two options to handle this. First, use a nonce (number used once) to whitelist the inline script. The nonce must be generated anew for every HTTP response, which can not be a straightforward method and cause latency issues.
Second, use the ‘unsafe-inline’ directive. But note, this is not recommended due to security reasons as it allows all inline scripts making your site vulnerable. If you must use it, make sure only to allow inline scripts and styles from trusted sources.
One innovative method mentioned in that article involved using a service worker to inject Google Analytics. However, this method isn’t simple and should only be employed if you’re proficient in service worker functionality.
Remember that while CSP is a powerful defensive tool for site security, it can make things difficult when you need to integrate third-party services such as GA or Google Ads. Strike a balance between security and functionality to create a high-performing website.
Log in to reply.