Cloudflare Zaraz lets you load third-party marketing and analytics tools without letting them run wild on your website.
Here’s Zaraz loading Google Tag Manager (GTM) on a demo site. Notice how it’s injected directly into the <head>:
<script defer src="https://static.cloudflareinsights.com/zaraz/c09e4b1b-5b5e-42a2-8c9f-1f1f1f1f1f1f.min.js" data-cf-beacon='{"token": "your-beacon-token"}'></script>
<script>
window.zaraz.load('google-tag-manager', {
'gtmId': 'GTM-XXXXXX'
});
</script>
This snippet is the core of Zaraz. The first script tag loads the Zaraz loader, a tiny piece of JavaScript that sits on your domain. The second script tag, executed by the Zaraz loader, tells Zaraz which third-party tool to load (in this case, Google Tag Manager) and with what configuration (here, the gtmId).
The problem Zaraz solves is the inherent risk of embedding third-party scripts directly into your website. Each script you add – for analytics, marketing automation, customer support, etc. – becomes a potential vulnerability. They can:
- Slow down your site: Many third-party scripts are bloated and poorly optimized, increasing page load times.
- Introduce security risks: A compromised third-party script can inject malicious code, steal user data, or deface your site.
- Violate privacy regulations: Scripts might collect more data than you intend, leading to GDPR or CCPA violations.
- Conflict with your own code: Unmanaged scripts can interfere with your site’s functionality.
Zaraz acts as a secure intermediary. Instead of embedding a script directly, you configure it within Zaraz. Zaraz then loads the script from its own secure infrastructure, often from Cloudflare’s edge network, not directly from the third-party vendor’s servers. This means:
- Performance: Zaraz can optimize and cache scripts, often making them load faster than if loaded directly.
- Security: By controlling which scripts load and from where, Zaraz reduces the attack surface. If a third-party vendor is compromised, Zaraz can be quickly disabled without touching your website’s code.
- Privacy: Zaraz provides granular control over what data each tool can access, helping you comply with privacy laws. You can even block certain data points from being sent.
Let’s look at the levers you control. In your Zaraz dashboard, you’ll find a list of "Tools." Each tool represents a third-party service you want to integrate. For Google Tag Manager, you’d enable it and provide its gtmId. For Google Analytics, you’d enable it and provide your measurementId.
{
"tools": {
"google-tag-manager": {
"enabled": true,
"gtmId": "GTM-XXXXXX"
},
"google-analytics": {
"enabled": true,
"measurementId": "G-YYYYYYY"
}
}
}
When a user visits your page, the Zaraz loader on your domain fetches this configuration. It then dynamically loads only the enabled tools, passing them the necessary credentials. The data-cf-beacon attribute on the Zaraz loader script is a Cloudflare feature for security and performance monitoring, ensuring the loader itself is served reliably.
The true power of Zaraz lies in its ability to sandbox these scripts. Each third-party tool is loaded in its own isolated environment. This isolation prevents a rogue script from accessing cookies or variables intended for other scripts or your own website. For example, if your analytics script accidentally tries to read a user’s credit card number (which it shouldn’t), Zaraz’s isolation layer can prevent that data from being accessed.
Most people think of Zaraz as just a tag manager, but it’s fundamentally a client-side execution environment that mediates access between your website and third-party code. It’s not just about loading scripts; it’s about controlling what those scripts can do and what data they can see on your users’ browsers. This fine-grained control is what makes it so powerful for security and privacy compliance.
The next step is understanding how to use Zaraz’s "Triggers" to control when these tools fire.