Integration & Setup

  1. Home
  2. Integration & Setup
  3. Practice tips & guides
  4. Tracking Code with Security Headers

Tracking Code with Security Headers

To increase the security of web applications, it is best practice to use HTTP security headers. These include, among others Content Security Policy (CSP) headers.

In order to use the tracking code on a server with an activated CSP, the CSP header for etracker must be set as follows:

Header set Content-Security-Policy "script-src 'self' https://*.etracker.com https://*.etracker.de 'unsafe-inline'; connect-src https://*.etracker.de"

When using the scrollmap or the Optimiser, embedding in an iframe should also be allowed:

Header set Content-Security-Policy "frame-ancestors https://*.etracker.com; script-src 'self' https://*.etracker.com https://*.etracker.de 'unsafe-inline'; connect-src https://*.etracker.de"

Notice:

The “unsafe-inline” restriction can be removed if the etracker parameter block in the website and the CSP are provided with the same, randomly generated nonce when the page is delivered. However, with this restrictive integration of etracker, only the use of etracker Analytics is possible. When using the Optimiser, further scripts could otherwise be injected.

Please note that the above settings contain the settings required for etracker. Your website may require additional settings so that other scripts and services will still run.