google analytics javascript security - property ID public - javascript

I've read the following question: Security on Google Analytics and other client-side analytics tools?
But I need an even simpler answer.
Per the google analytics site, I've put the following code in the header of my web site:
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'propertyID']);
_gaq.push(['_setDomainName', 'brokersqueeze.com']);
_gaq.push(['_setAllowLinker', true]);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
While perhaps obvious to most readers here, I realized all this information (like the PropertyID) is available via "inspect element" in the browser.
Have I put the GA snippet properly? Or is there a way to us GA such that the info is hidden from the public? It seems like answers for the question above suggest that while the information is public, it's a risk everyone just lives with. Do I have that right?

Yes, you've done it right. That risk exists with every client side analytics tool. If they send spoofed requests to GA, you can try filtering the results in reports. Even if you obfuscate the ID in the javascript code, they can capture the http request and get that ID.

Related

What is causing the conflict between these two Google Analytics tracking scripts?

I am getting a ton of self-referred traffic on my website. I believe it is due to these two tracking codes.. I am not sure that I need both, but want to be sure if I do or not.
We want sub-domain tracking to work (first script), and obviously the regular GA tracking info as well (2nd script is the out-of-the-box script).
`<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function() {(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-5402569-1', 'auto',{‘allowLinker’: true });
ga(‘require’, ‘linker’);ga(‘linker:autoLink’, ['goaupair.com’,‘community.goaupair.com’,'knowledge.goaupair.com']);
ga(‘send’, ‘pageview’);
</script>`
`<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-5402569-1']);
_gaq.push(['_trackPageview']);(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>`
You do not need both (in fact you will get most likely double counting of pageviews). The first script is the current version (Universal Analytics). The second script is previous version of the GA tracking script.
You should remove the second version altogether. As far as subdomain tracking is concerned you do not need any special tracking for that - just make sure that your domain is added to the referral exclusion list in the property settings, and that the cookieDomain is set to "auto" when you create the tracker (which it is, so simply lose the the both lines for the linker).
Linking between domains is only necessary if you want to do cross domain tracking between two different domains. The point if cross domain tracking is to transfer the client id that is stored in a cookie, and since your domain and subdomain share their cookies anyway you do not need special configuration.
The only thing that's important is the "auto" setting for the cookie domain, else visitors entering via the subdomain will get a new clientid (and thus be counted as new visitors) when they enter the main domain.

Is Google Rendering Bad Tracking Codes?

I've gotten a lot of response saying that my Google tracking code was excessive in many ways, and I suspect that perhaps not all features are working. (There's certain metrics that aren't showing data: "Paid Traffic" and "Campaigns" for example)
Is it possible that Google is rendering less than useful tracking codes?
Should I return to the old format of tracking codes, since I know that they work well?
Could it be the placement on my page? Google recommends before </head> yet everyone on here recommends before </body>.
What Google rendered for me: (Current)
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-40498113-1', 'caseykidd.com');
ga('send', 'pageview');
</script>
My old Tracking Code: (Circa One Year Ago)
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-28036048-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
The "new" tracking code is analytics.js, which "is part of Universal Analytics, which is currently in public beta".
Granted you can probably get the Google Analytics pages to give you the beta code, I would probably stick with the tried and true ga.js on production websites until Google pulls it out of beta.
The new tracking code has async enabled by default, so in most recent browsers it won't stall the page load even if there is a problem loading Google Analytics. That is why they recommend you put the ga.js tracking code before </body> instead of </head>.

Does Analytics Script Conflict with Fade-in Effect?

I recently installed my analytics code, but it has been saying for a while that it's not installed.
I can't think of a better place to put it. Does the script interfere with my other script (for the fade-in)?
Also, should my script be the first thing I include? (maybe after </title>?)
Hits are showing under "real-time" but not as actual visits. The tracking info still says "tracking not installed." I refreshed to make sure.
UPDATE: Google is showing my hits, and I have data... but it says that tracking is not installed. I've had this issue with Wordpress sites, but they were remedied with the use of a plug-in.
Should I try using the old tracking script? I know that one works.
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Casey</title>
<meta name="description" content="" />
<meta name="keywords" content="">
<link href="home.css" rel="stylesheet" type="text/css">
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js" ></script>
<script type="text/javascript">
$(document).ready(function() {
if (window.localStorage && !localStorage['faded']) {
localStorage['faded'] = true;
$('body').hide().fadeIn(500);
}
});
</script>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-40498113-1', 'caseykidd.com');
ga('send', 'pageview');
</script>
</head>
The only thing I see that's "off" is
ga('create', 'UA-40498113-1', 'caseykidd.com');
should be
ga('create', 'UA-40498113-1', {'cookieDomain':'caseykidd.com'});
But I don't think that's really the problem (I think GA is just ignoring how you did it and it happily works out okay, based on your lack of subdomain in the URL). edit: oddly, the generated code within the GA interface looks like what you have, but that's not what the documentation shows. I have verified that this is apparently an undocumented syntax shortcut for setting the cookie domain.
You said you see the data in the "real time" reports so I assume your account number is correct.
My only suggestion is to wait a while for the data to show up. GA's "real time" stuff only shows some basic info. Stuff like "visit" may not be immediately available because of the nature of the dimension/metric. For example, GA (and most other tracking tools) usually don't count it as a visit until the visit is actually over. So if you went to your site to test it and then immediately went to GA to check...well the visit isn't actually over until 30 minutes after the last request to GA.
update (additional info based on your comment below and update to your question)
I don't necessarily think you need to use the old tracking script.. I don't know how it works within Google's system, but Google actually officially states that it can take up to 24 hours for everything to be completely recorded.
Also to be fair, Universal Analytics (analytics.js) is open beta phase at the moment.. it could be that they haven't gotten around to updating that verification logic, or there could be a bug in it, or it could be one of the things that take closer to 24 hours to be updated.
Again, since you are seeing data, I don't think you are doing it wrong, but for sh*ts and grins you can read the entry on verifying your web tracking setup. Are you testing on some other domain than what the web property is setup for? I think GA may not report that implementation has been verified if it has not received a request from the domain specified in the property settings. Also the the manual says it must be on the "homepage" of your site. Are you testing on the homepage or using a custom page name?
As a test I setup analytics.js code in a new web property for a domain that did not previously have any GA tracking on it, when I posted this answer. I see my data but the tracking status remains as "not installed." It has not been 24 hours for me yet, but I personally don't really care, as long as the data is coming in. Even Google's troubleshooting document entry for tracking verification just says to look at the request and verify data in the reports, so that's good enough for me.
But if it really bothers you that much, and you've waited at least 24 hours, I would suggest posting a possible bug report on the google support forums.
update 2: It's been about 18 hours, since I last checked, and the status msg has changed to "receiving data" on my test domain/web property.
When you create a Google Analytics account you're provided with the tracker script, which in my experience has always been the below:
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-XXXXXXXX-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
That uses the _gaq object, where basically you fill an array of arrays with stuff you want Google Analytics to do later, and when it loads it looks for _gaq, reads the array and executes those commands. It then replaces _gaq with an object that immediately responds to calls to .push() by executing the commands described in the array.
So for example if you added this to the array:
_gaq.push(['_trackEvent', 'Ordering', 'Clicked', 'Order Now top-left']);
Then one of 2 things would happen:
If GA hadn't loaded yet, this array would be added to the _gaq array, waiting for GA to finish loading. When GA did load it would read this and fire the trackEvent command with the parameters you included.
If GA had already loaded, then this call to .push() would cause the trackEvent command to be executed immediately, with the parameters you included.
By the way I usually simplify the example script to:
<script>
var _gaq = [
['_setAccount', 'UA-XXXXXXXX-1'],
['_trackPageview']];
(function() {
var ga = document.createElement('script'); ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>

is _gaq.push not working properly?

I am trying to track my pages via google analytics, here is my code
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'XXXXXXXXXX']);
_gaq.push(['_setDomainName', 'somesite.com']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
(function ($) {
// Log all jQuery AJAX requests to Google Analytics
$(document).bind('ajaxComplete', function(event, xhr, settings){
console.log('ajax Request');
console.log(settings.url);
_gaq.push(['_trackPageview', settings.url]);
});
})(jQuery);
On each ajax request I can see the console has values
ajax Request
url of the page
it means _gap.push is working (as there is no js error on page). But when I am checking my req/res via Live HttpHeaders there is no req/res to google analytics, How to track it?
here is the screenshot in firebug
The point in _gaq.push is that, until Google Analytics is actually loaded, "_gaq" is just a normal array. That is: the lack of errors is indeed expected, regardless of whether or not it is "working" in the sense of triggering a request to Google.
The way Google Analytics works is not via ajax (or at least, there is no specific implementation detail regarding how the request will be sent). The method usually used is to create an Image element with the tracking data included in the query string of that image's URL. After all, the page doesn't care what response Google Analytics has, it just wants to send its data and go!
Rather than using LiveHttpHeaders, I would check the 'Network' panel of your developer tools -- if you have the Javascript console, you probably have access to that as well. You should be able to see all of the details of the requests on that panel.
You can also use the debug version of ga.js to diagnose errors. It prints things like "Invalid tracking code" and so on to the Javascript console.
Search for "Debugging with ga_debug.js" on this page:
https://developers.google.com/analytics/resources/articles/gaTrackingTroubleshooting
Look at the http headers sent - I use HttpFox - and filter for 'utm'. Look at the query string (httpfox breaks this out into a table for you) and you can see all of the utm parameters of the hit - account number (utmac), page (utmp), etc. If any of the utm params are unfamiliar, check this reference. This sort of simulation and analysis of the image requests sent to google's servers is very useful for debugging Google Analytics problems.

Why isn't Google Analytics script loading in some browsers?

I use default generated GA tracking code for my page:
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-XXX-1']);
_gaq.push(['_setDomainName', 'xxx.com']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
This code seems to work in most cases. However, the _utm.gif is not requested from some browsers, (namely, I noticed it in Chromium on Ubuntu and Firefox on Fedora). Actually, it appears that the ga.js script is not even loaded.
If I use the GA Debugger or locally saved script ( ga.src = 'ga.js'; ), the tracking works as expected even on mentioned browsers. Other tested OS-browser configurations works.
EDIT: As suggested in comments, I've tried to remove protocol resolution (i.e.: ga.src = 'http://www.google-analytics.com/ga.js') and scripts other then ga.js (to rule out conflicts). It didn't change the behavior in any way.
Any ideas what causes the problem and how to avoid it?
I tested the issue again today and everything appears to be working as it should.. I have no idea why..

Categories

Resources