For developers

Ship with confidence. Privacy-check before every deploy.

Tag Leak scans your staging or production URL and tells you exactly which tags and cookies fire before consent — with GCM v2 scoring, TCF v2.3 detection, and security header audit included.

Scan regulation:All RegulationsGDPRUK GDPRCCPA / CPRALGPDPOPIAPDPA

Free scan — no signup required

The compliance gaps you cannot see in your IDE

GTM deploys break consent silently

A new GTM tag or trigger config pushed by marketing can start firing before consent without touching a line of code. You only find out when someone files a complaint.

GCM v2 is harder to verify than to implement

Dropping gtag consent calls into the codebase is step one. Verifying that the default state, update timing, and all 7 parameters are correctly configured requires intercepting calls before any page script runs.

Security headers are an afterthought until they aren't

Missing HSTS, CSP, or X-Frame-Options get flagged in security audits and by compliance teams. Tag Leak surfaces all six headers in the same scan as your consent check.

How Tag Leak helps

A compliance checkpoint that fits in your workflow

No code to install. No SDK. Just a URL. Tag Leak loads your site exactly as a browser would and captures everything.

Two-pass stealth scan — pre and post consent

The scanner loads your site twice — once before any consent interaction to capture what fires immediately, and again after consent is given to see what should have waited. The difference is your compliance state.

  • Works on sites with bot protection and IP-based geo-targeting
  • Detects cookies, ad pixels, analytics tags, and third-party tracking scripts
  • 50,000+ known tracker signals across ad networks, analytics, and data brokers
  • Per-finding severity: critical / warning / info / compliant

Google Consent Mode v2 — full parameter audit

Tag Leak verifies your GCM v2 implementation before any other page code runs. You get a scored breakdown of all 7 parameters, default vs updated consent values, and GTM container IDs detected.

  • Detects v1 vs v2 — flags if you are on the outdated v1 standard
  • Checks: ad_storage, ad_user_data, ad_personalization, analytics_storage, functionality_storage, personalization_storage, security_storage
  • Score 0–100 based on default consent state and version
  • GA4 and Google Ads findings downgraded to warnings when GCM v2 is correctly implemented

IAB TCF v2.3 — the standard your CMP must pass

Tag Leak verifies whether your CMP is serving TCF v2.3 (not the outdated 2.0), whether the event status is correct, and whether all 11 IAB purposes have consent recorded.

  • Detects v2.3 vs expired v2.2 vs outdated v2.0 — flags outdated policy version
  • Validates event status and TC string
  • Audits all 11 IAB consent purposes
  • Shows vendor count and TC string presence
  • Score 0–100 with specific issues listed

Security headers + multi-page scanning

Six security response headers checked on every scan: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Multi-page scanning discovers URLs from your sitemap and runs pages in parallel.

  • Starter: 25 pages per scan | Pro: 100 pages per scan
  • Per-page score, critical/warning count, and consent banner status
  • Findings deduplicated across pages — one finding per unique violation
  • First-party proxy and server-side tagging detection

Make compliance part of your deploy checklist.

One URL, 60 seconds, no installation. Know your compliance state before you push.

No signup required. Results in 60 seconds.