Does it matter if google analytics script is found in page html?

Question

Google says to put the analytics code at the top of your head section. When the page loads this script file can be found from inspecting the page. Just curious, does this matter that people could see this code? Is it secure enough so that if someone wanted to try and hack it, they wouldn't be able?

Is there another preferred way to implement google analytics?

Answer 1

Depends on what you mean by "secure".

Javascript is visible to every user of your page, so there are no secrets in JS (and you cannot meaningfully encrypt data in JS - if the browser can decode it, then anybody else can). This has actual consequences for GA, since it means anybody can look up your tracking id an send spam data to your account (to be fair they could just as well at the network request and get the id from there).

The other security issue is if JS is somehow used as attack vector (scraping information and redirecting data to third parties, including malware in the page etc.). The analytics.js library is not usually an attack vector. However, as it is injected in the page and runs in the context of your page it has access to all information. If somebody manages to swap out the analytics.js file, e.g. via a man-in-the-middle attack on your network, then it could lead to abuse (a few years ago on the Google Analytics forum somebody claimed this had happened to him; I don't know if this would still be feasible). But that would be a problem with the infrastructure, not with Google code per se.

If you wanted to secure yourself against this you would need to use server-side tracking via the measurement protocol, however this would make it more difficult to track frontend events.

Answer 2

The analytics.js library is a JavaScript library for measuring how users interact with your website. This document explains how to add analytics.js to your site.

Please refer the below link for preferred : https://developers.google.com/analytics/devguides/collection/analyticsjs/