Using a reverse proxy with a single FPID (First-Party ID) cookie is the reference architecture for modern websites.
FPID (First-Party ID) cookie is the reference architecture for modern websites:
- Cookie Blocking: Safari’s Intelligent Tracking Prevention (ITP) allows cookies to work, but limits the lifetime of ones. A reverse proxy ensures that all cookies are set by the same origin.
- Script Blocking: Privacy extensions and ad blockers often use domain-based blocklists. Content served from your own domain is less likely to be blocked than third-party hosted content.
- SEO: Subdirectories consolidate link equity and domain authority more cleanly. All content shares the same origin, which can simplify your SEO strategy.
| Service | Before | After |
|---|---|---|
| Website | www.example.com | unchanged |
| App | app.example.com | www.example.com/app/ |
| Blog | blog.example.com | www.example.com/blog/ |
| Store | store.example.com | www.example.com/store/ |
| Documentation | docs.example.com | www.example.com/docs/ |
| Tag Server | gtm.example.com | www.example.com/api/gtm/ |
Prerequisites
If you need support setting up a reverse proxy, you can contact us at [email protected].
- You need admin access to your website hosting provider
- You need admin access to your Google Tag Manager Server Container configuration
- If you use multiple frontends (e.g. React website, WordPress blog, etc…), you need access to all of them
How it works
In order to use your domain to improve your data quality, you need to set up a reverse proxy on your website that forwards requests to your Google Tag Manager Server Container.1
Configuring the reverse proxy
- You are self-hosting
- You are using a site builder
- You are using a hosting platform
You can send events using your website own domain, by using a to serve all your customer-facing traffic.
- If using AWS, see Amazon CloudFront
- If using Google Cloud, see Google Cloud Load Balancing
- If using Azure, see Azure Front Door
- If using Cloudflare Enterprise, see Origin Rules
2
Forwarding traffic to your Tag Manager Server Container
Request ForwardingYou need to make sure that all requests to a subpath of your choosing, such as
Cookie ForwardingMake sure you also proxy the
Headers Forwarding
This step allows your Tag Manager Server Container to receive events from your website through your own domain.
/api/gtm, are forwarded to your Google Tag Manager Server Container endpoint.The exact endpoint URL depends on your Tag Manager Server provider:- Google Cloud: Your server container URL (e.g.,
gtm-xxxxx-xxxxx.uc.r.appspot.com) - Stape: Your server container URL (e.g.,
gtm-xxxxx.stape.io) - Other providers: Consult your provider’s documentation
Cookie Forwarding
This steps allows your Tag Manager Server Container to manage cookies on your behalf, compliant with Apple® ITP requirements.
Cookie and Set-Cookie headers. This enables your Tag Manager Server Container to automatically manage cookies for you. Most reverse proxies will automatically forward all cookies by default.Although your Tag Manager Server Container ignores non-relevant cookies, if you operate in highly regulated industries, you can configure your reverse proxy to only forward cookies that are required for tracking to work properly:FPID: (“First-Party ID”) The native Google Analytics 4® cookie holding the anonymousclient_idfor the current browser
Headers Forwarding
This step allows OneView to:
- identify you as a OneView customer
- identify your traffic origin to apply region-specific regulations (e.g. GDPR, CCPA, etc…)
| Required | Header | Value |
|---|---|---|
| ✅ | Authorization | Your API key (e.g. Bearer <token>) |
| (optional) | X-Forwarded-CountryRegion | The user’s country and region in a single ISO 3166-2 code (for example: US-CA) |
| (optional) | X-Forwarded-Country | The user’s country as an ISO 3166-1 alpha-2 code (for example: US) |
| (optional) | X-Forwarded-Region | The user’s region subdivision code (for example: CA). This is the second half of the ISO 3166-2 code (for example: US-CA) |
How do I configure geolocation headers?
How do I configure geolocation headers?
- You are self-hosting
- You are using a site builder
- You are using a hosting platform
You can configure geolocation headers at the load balancer or CDN level when you self-host.
| Provider | Supported | Geolocation headers / method | Documentation |
|---|---|---|---|
| AWS | ✅ | CloudFront-Viewer-Country, CloudFront-Viewer-Country-Region via Origin Request Policy | 📖 Guide |
| Google Cloud | ✅ | Custom headers using {client_country} and {client_region} variables | 📖 Guide |
| Azure | ✅ (partial) | Azure Front Door only exposes the {geo_country} in its Rules Engine. | 📖 Guide |
| Cloudflare Enterprise | ✅ | Use Transform Rules to add visitor location headers | 📖 Guide |
3
Update your frontend code
Update your frontend code to send events to your custom domain endpoint.If you’re using Google Tag Manager Web Container, configure it to send events to your server container at your custom domain: