ITP limitations, short cookie lifetimes, and bot traffic make it hard to track user behavior, attribute conversions, and make confident, data-driven decisions.
In this session, we explain the role of a custom domain in server-side tracking, how it helps recover lost data, and how to choose the right setup method. You’ll also learn how to extend cookie lifetimes and filter bot traffic to improve data accuracy and attribution – all using Stape and server-side tracking best practices.
Whether you’re already using server-side tracking or just exploring it, this session will help you get it right.
Speakers: Dan Murov, Data Tracking Lead @ Stape
08:40 - Custom domain explained: what does it mean for your tracking and data accuracy; what setup options available and limitations to consider
18:00 - How to increase resistance to ad blockers
21:17 - How to extend cookie lifetime in ITP environments like Safari 16.4+
40:10 - How to detect and filter bot traffic to keep your data clean
47:03 - How to measure the real impact of your server-side setup and see how much data you’re actually recovering
49:26 - Q&A session
What priority should be set for the Data Client and GA4 Client in sGTM when both are used?
It’s usually not necessary to set a priority, since these clients serve different purposes:
- Data Client claims Data Tag requests, or other generic http requests.
- GA4 Client handles Google Analytics events.
However, if you have overlapping triggers or a specific use case where both respond to the same request, setting priorities can help control which one processes it first.
Should I use https://load.sgtm.mydomain.com or https://sgtm.mydomain.com as the Server URL in the Stape app?
In the app, domain field is responsilbe for web GTM donwload. Use the load. subdomain there since it will be reflecte in loader snippet. For transfering of events however, use the subdomain w/o 'load'.
When I use GTM Kit or GTM4WP plugin and enter the container identifier and server URL, GTM says it's not connected. Is the issue with the plugin or something else?
The Custom Loader feature that enables direct GTM loading is only available in the GTM Server-Side plugin developed by Stape. If you're entering the Stape container ID and server URL into a different plugin (like GTM Kit or GTM4WP), it may not be compatible – which is likely the issue you're seeing.
If uBlock or similar tools add Stape's domains to their blocklists, wouldn’t it get blocked too?
Yes, if a Stape domain (like load.stape.io) gets added to an adblock list, it can be blocked – just like any other third-party resource. That’s why we strongly recommend using your own custom subdomain (e.g., https://sgtm.yourdomain.com) for server-side tracking.
This makes the requests look like first-party and significantly reduces the chance of being blocked. You should always go for same-origin approach if you can and your situation allows it. When not possible - use the next best thing which is subdomain + Cookie Keeper.
Google now automatically recommends server-side configuration with first-party cookies to use the same-origin domain in GTM. Do you recommend this configuration or is the worker configuration preferable? Why is it that in the webinars where you show how to extend cookie lifespan, you never show the worker configuration to use the same-origin domain?
Google Tag Gateway achieves what worketrsetup would in part of GA4 and Goole ADS, specifically in the cookie part. It doesn't however assume the use of server container in the first place and will therefore have no influence on platforms that are not Google.
Same-origin via workers is ideal from a tracking and privacy standpoint – it ensures your cookies are treated as first-party, not blocked or shortened, and is fully aligned with Google’s recommendations while still letting you use server container and have tags in that container benefit from same-origin approach.
Is the same-origin setup available for Shopify websites or ecommerce platforms that use their own CDN?
Yes you can use same-origin approach with workers approach through Cloudflare on Shopify.
Previously, A and AAAA records were used by default when registering a custom subdomain. Now, the default is CNAME. Is there a specific reason why? Is a custom subdomain registered with A and AAAA records more resistant to adblock than a configuration with just a single CNAME record?
The switch to CNAME as the default was made to simplify setup reducing the amount of records needed from the customer. Type of DNS record currently has no bearing on neither cookies nor adblock bypass.
For Shopify, the Cookie Keeper setup only seems to work if I’m using Stape’s Shopify app. If I build a custom dataLayer and use GTM loader through Custom Pixels (customer events), the loader code with Cookie Keeper throws errors and can’t be saved in Custom Pixels. What should I do?
Cookie Keeper is designed to work with a specific master cookie, and if it's misconfigured (as can happen with Custom Pixels), it may break the loader code.
If you’re using Shopify’s Customer Events instead of the Stape app, we recommend disabling Cookie Keeper and using the loader code only to embed GTM. You can still manage your own dataLayer setup separately. The Stape Shopify app remains the easiest way to use both Cookie Keeper and the Custom Loader together.
After activating Cookie Keeper, do I need to configure anything else in server GTM?
No additional setup is required in server GTM. Cookie Keeper works automatically once enabled.
Is an OWN CDN configuration preferable to one with a worker, since OWN CDN avoids extra Cloudflare costs from worker traffic?
Yes, using Own CDN can be more cost-efficient because it doesn’t rely on Cloudflare Workers, which may incur additional charges based on traffic volume. However, both configurations are valid. The best choice depends on your technical setup, scalability needs, and cost considerations.
With the Stape + Shopify integration, Google is encouraging merchants to migrate tags to the native Google & YouTube app due to upcoming checkout changes in Shopify. Will Stape’s server-side setup still work as Shopify updates its checkout?
Yes – Stape’s integration using GTM and server-side tagging remains fully compatible with Shopify’s checkout extensibility changes.
While Google’s app may work for basic setups, using GTM with Stape gives you full control over what data you send and how.
Despite the wording, GTM is not considered a third-party integration in this context. Based on our experience, server-side tagging via GTM + sGTM + the Stape app is more flexible and reliable than native integrations.
The Stape bot traffic header is marked as ‘true’ around 80–90% of the time on client sites where I’ve tested. What goes into this determination, and what is the threshold?
The Stape bot detection header is based on multiple signals – including user agent, IP reputation, request behavior, and known patterns of non-human traffic.
It’s designed to flag likely invalid or low-quality traffic, not just known bots. This can include headless browsers, scrapers, or tools triggering tags in non-standard ways.
An 80–90% flag rate may indicate issues like testing tools, browser extensions, or implementation sending duplicate or unnatural requests.
You can use this header as a signal to exclude traffic from measurement or ad targeting – but we recommend cross-checking with server logs or other tools for context. If you constantly get bot detection false positives - please reach out to support for investigation.
We can send the bot traffic as a custom parameter to GA4 right?
Yes, absolutely! You can send the stape-bot-traffic header value as a custom parameter to GA4.
Just create a variable in your sGTM container to read the stape-bot-traffic request header, and include it in your GA4 event tag as a custom parameter (e.g. bot_traffic: true/false).
This way, you’ll be able to analyze bot-flagged traffic directly in GA4 reports.
In order to see Stape analytics we have to create a gtm containter correct? We have snapchat stape intergration (CAPI).
Correct – to use Stape Analytics, you need to have a server GTM container configured. Stape Analytics monitors and reports on traffic processed through your server GTM container, including events sent via integrations like Snapchat CAPI.
Stape Analytics is not supported by Gateway products.
How is the bot likelihood calculated, and what is the threshold above which a visit is considered a bot?
Stape’s Bot Detection uses multiple signals like IP reputation, known data center ranges, user agent anomalies, interaction patterns, and cookie behavior. Each request is scored based on these signals. If the bot likelihood score crosses a predefined threshold – currently 0.9 (or 90%) – the stape-bot-traffic header is set to true. This helps you filter out likely bots from your analytics and improve data quality.
If I use a subdomain that points to an IP address range (A/AAAA records), is that considered same-origin?
Using a subdomain that points directly to an IP address (via A/AAAA records) is technically different from a same-origin setup. Same-origin means your tracking domain exactly matches your main website's domain (e.g. example.com and https://example.com/gtm). This approach is best for first-party cookie lifetimes and maximal resistance to tracking restrictions.
If you’re using a subdomain (e.g. track.example.com) with an A/AAAA record, you gain some benefits of first-party context, but it's not considered true same-origin, and may still be more detectable by privacy tools.
For optimal cookie lifetime and resistance to ITP/adblockers, a worker-based same-origin setup or own CDN configuration is recommended.
We have a shortened domain – would it make sense to integrate Stape or just track referral traffic?
If the shortened domain is only used for redirects (e.g. link shortener), tracking referral traffic might be enough. But if you plan to run landing pages or collect data directly on that domain, integrating Stape for server-side tracking could help enrich your data and improve attribution. It depends on whether the domain plays an active role in user interaction or is just a passthrough.
Comments