Features

Tag Governance

Last updated March 5, 2026

Tag Governance

Tag Governance gives you complete visibility and control over every third-party script running on your websites. It is available on the Pro plan.

The Problem

Most websites load dozens of third-party scripts: analytics, marketing pixels, chat widgets, A/B testing tools, and more. These scripts often:
  • Set cookies before consent is given
  • Load in regions where they are prohibited
  • Get added by marketing teams without developer oversight
  • Change behavior silently after updates
Tag Governance solves this by providing a structured approval workflow and enforcement layer.

Tag Registry

The Tag Registry is an automatic inventory of every third-party vendor detected across your sites. Each entry includes:
  • Vendor name - e.g. Google Analytics, Facebook Pixel, Hotjar
  • Consent category - Analytics, Marketing, Functional, etc.
  • Status - Pending Review, Approved, or Blocked
  • First detected - When the scanner first found this vendor
  • Last detected - Most recent detection
  • Sites - Which sites this vendor appears on
The registry is automatically populated by the cookie scanner. Every time a scan detects a new vendor, it is added to the registry in Pending Review status.

Approval Workflow

When a new vendor appears in the registry: 1. An alert is created notifying your team 2. The vendor is set to Pending Review 3. An authorized team member (Admin, Owner, or Editor) reviews the vendor 4. They can: - Approve - The vendor is allowed to run (subject to consent) - Block - The vendor is prohibited from loading - Request Review - Escalate for further investigation Every approval action is logged with who did it, when, and why (optional reason field).

Bulk Actions

Select multiple tags and apply bulk actions:
  • Approve all selected
  • Block all selected
  • Change category for all selected

Tag Signatures

Each vendor in the registry has one or more signatures used to identify it:
  • Script src patterns - URL patterns for script tags (e.g. .google-analytics.com/)
  • Cookie name patterns - Cookie names set by this vendor
  • Iframe src patterns - Embedded iframe URLs
Signatures are used by the enforcement module to match and control scripts at runtime.

Enforcement Modes

Tag Governance offers two enforcement modes: Loader Mode (Default) In Loader mode, you wrap third-party scripts with type="text/plain" and data-lb-tag attributes: ``html ` LegalBanner activates the script only if: 1. The vendor is Approved in the Tag Registry 2. The visitor has consented to the relevant category If the vendor is Blocked, the script never executes - regardless of consent. Strict Mode (Experimental) Strict mode goes further by intercepting dynamically injected scripts at runtime. It wraps document.createElement to catch scripts added by tag managers, third-party libraries, or any code you do not control. When a script is intercepted:
  • Its hostname is checked against blocked tag signatures
  • If it matches a blocked vendor, the script is prevented from loading
  • A blocked attempt is recorded for your review
Strict mode is experimental and may cause issues with some third-party scripts. Test thoroughly before enabling in production.

Enforcement Scopes

Enforcement policies can be set at three levels: | Scope | Description | |---|---| | Organization | Default policy for all sites | | Client | Override for a specific client's sites | | Site | Override for a specific site | Site-level policies take precedence over client-level, which takes precedence over organization-level. This lets you have a strict default while relaxing rules for specific sites that need it.

Configuring Enforcement

1. Go to Governance > Policies in the sidebar 2. Select the scope (org, client, or site) 3. Toggle enforcement On 4. Choose the mode (Loader or Strict) 5. Set the unknown tag action: - Alert only - New vendors are flagged but not blocked - Block until approved - New vendors are blocked until manually approved 6. Save

Tag Alerts

Alerts are automatically generated when:
  • A new vendor is detected on a site
  • A tag's signature changes (script URL updated)
  • A known tag appears on a new site
  • A consent bypass attempt is detected
Alert severity levels:
  • Info - New tag detected (normal operation)
  • Warning - Tag appeared on unexpected site
  • Critical - Consent bypass or signature change detected

Getting Started with Tag Governance

1. Run a scan on your sites to populate the Tag Registry 2. Review pending vendors and approve or block each one 3. Enable enforcement in Loader mode 4. Wrap your third-party scripts with type="text/plain" and data-lb-tag` 5. Monitor the Governance dashboard for new tags and blocked attempts