Tag Governance Strict Mode: Maximum Control Over Third-Party Scripts

What Is Strict Mode?

LegalBanner's tag governance offers two enforcement modes. Monitor mode observes and alerts but doesn't block. Strict mode goes further: any script that hasn't been explicitly approved is prevented from executing.

In strict mode, your website operates on an allowlist basis. Only scripts in the approved registry can run. Everything else is blocked and logged.

When to Use Strict Mode

Strict mode is appropriate when:

• You're in a regulated industry (finance, healthcare, legal) where unauthorised data collection carries severe penalties
• Your site handles sensitive data (payment processing, personal health information, financial data)
• Multiple people add scripts to your site and you need to prevent unauthorised additions
• You've completed a thorough initial review and are confident your approved list is complete
• Security is a priority and you want to minimise your site's attack surface from third-party code

How to Enable Strict Mode Safely

1. Complete Your Tag Inventory First

This is non-negotiable. Before enabling strict mode, you must review and approve every legitimate script on your site. Enabling strict mode with an incomplete inventory will block scripts your site needs, potentially breaking functionality.

2. Run Monitor Mode for at Least One Week

Monitor mode shows you everything that runs on your site without blocking anything. Spend at least a week in this mode to catch scripts that only fire in specific conditions (checkout pages, logged-in states, specific browsers).

3. Test on Staging First

If you have a staging environment, enable strict mode there first. Navigate through every critical user flow: homepage, product pages, checkout, account creation, login. Verify everything works.

4. Enable Strict Mode on Production

Once testing is complete, enable strict mode. Monitor the blocked attempts log closely for the first 24–48 hours. If a legitimate script is being blocked, approve it immediately.

What Gets Blocked

In strict mode, these types of scripts are automatically blocked:

• Scripts from domains not in your approved list
• Piggyback tags loaded by approved scripts (unless specifically approved)
• Dynamically injected scripts from unknown sources
• Scripts whose signature has changed since approval (indicating an update that needs re-review)

Blocked Attempt Reporting

Every blocked script is logged with:

• Script URL and domain
• Page where the block occurred
• Timestamp
• Reason for blocking (not in registry, changed signature, etc.)

This data is invaluable for security audits and compliance demonstrations. You can show exactly what was blocked and why, proving that your site actively prevents unauthorised data collection.

The Security Benefit

Beyond compliance, strict mode provides a genuine security benefit. Supply chain attacks through compromised third-party scripts are increasingly common. By allowing only known, approved scripts to execute, you significantly reduce your exposure to this attack vector.