- Initially, the marketing team should be set with read-only or edit only access, with IT owning the rights to publish to dev/live access.
- Two-stage authentication can be enabled on Google Account with access to GTM.
- Ensure the tickbox for 2-step login verification is checked for all accounts with write access to live:
- The Google Accounts can be set to prompt to reset the password every 30days.
- Google Webmaster Tools has an email alert me if it detects malware on a website crawl.
- To disabled customHTML to enhance security (but restrict features) enable these setting using hardcoded in the page header (or via custom HTML with 2stage auth).
Note1: Blacklist trump Whitelists (e.g. whitelisting [cts] for Clicktale will be ignored if [nonGoogleScripts] which includes Clicktale, is in the blacklist).
Note2: Bizarrely, DoubleClick is not classed as [google] script by GTM, it has no class.
Note3: Blacklisting [customScripts] implicitly blacklists [customImages] and [nonGoogleIframes], as customScripts can be used create customImages and nonGoogleIframes such as Mediaplex iframe.
Note4: [html] class is the legacy name for [customScripts] class.
window.dataLayer = window.dataLayer || ;
“google”,//allow GA classic, universal, Adwords & dataLayer
“fls”, // allow DoubleClick Floodlight Sales
“flc”, // allow DoubleClick Floodlight Counter
“ms”, // allow Marin Software allowed
“cts”,// allow ClickTale Standard
“img” // allow Custom Image
“customScripts”, // disallow customHTML, JSmacro and implicitly disallow nonGoogleIframes and nonGooglePixels
//”nonGoogleIframes”, // disallow Mediaplex iFrames
“k” // disallow 1st party cookie access
// Help page: developers.google.com/tag-manager/devguide#security
Note5: GTM does not (yet) support script dependencies for deploying gtm.blacklist/whitelist as a primary script, thus adding this inline in the page header is the only way to 100% safeguard.
- The GA community is very active with regards to reporting malware and GTM blocking issue, these normally get picked up very quickly.