For developers

Ship with confidence. Privacy-check before every deploy.

Tag Leak runs a stealth Chromium browser against your staging or production URL and tells you exactly which tags, cookies, and storage writes fire before consent — with GCM v2 scoring, TCF v2.2 detection, and security header audit included.

Scan regulation:All RegulationsGDPRUK GDPRCCPA / CPRALGPDPOPIAPDPA

Free scan — no signup required

The compliance gaps you cannot see in your IDE

GTM deploys break consent silently

A new GTM tag or trigger config pushed by marketing can start firing before consent without touching a line of code. You only find out when someone files a complaint.

GCM v2 is harder to verify than to implement

Dropping gtag consent calls into the codebase is step one. Verifying that the default state, update timing, and all 7 parameters are correctly configured requires intercepting calls before any page script runs.

Security headers are an afterthought until they aren't

Missing HSTS, CSP, or X-Frame-Options get flagged in security audits and by compliance teams. Tag Leak surfaces all six headers in the same scan as your consent check.

How Tag Leak helps

A compliance checkpoint that fits in your workflow

No code to install. No SDK. Just a URL. Tag Leak loads your site exactly as a browser would and captures everything.

Two-pass stealth scan — pre and post consent

Pass 1 captures everything that fires before consent interaction. Pass 2 clicks the consent banner (via 50+ CSS selectors, programmatic CMP API calls, iframe probing, and shadow DOM piercing) and captures what fires after. The diff is your compliance state.

  • Playwright stealth browser bypasses Cloudflare, Akamai, and bot detection
  • Captures network requests, cookies, localStorage, and sessionStorage writes
  • 50,000+ known tracker signals from Disconnect.me, EasyPrivacy, and DuckDuckGo Tracker Radar
  • Per-finding severity: critical / warning / info / compliant

Google Consent Mode v2 — full parameter audit

The scanner injects an init script before any page code runs and intercepts every gtag consent call and dataLayer push. You get a scored breakdown of all 7 GCM v2 parameters, default vs updated consent values, and GTM container IDs detected.

  • Detects v1 vs v2 — flags if you are on the outdated v1 standard
  • Checks: ad_storage, ad_user_data, ad_personalization, analytics_storage, functionality_storage, personalization_storage, security_storage
  • Score 0–100: -30 for no default call, -10 per parameter defaulting to granted, -15 for v1
  • GA4 and Google Ads criticals downgraded to warnings when GCM v2 score ≥ 70 with explicit denied defaults

IAB TCF v2.2 — the standard your CMP must pass

Tag Leak calls __tcfapi directly — the same API a regulator's verification tool would use — and checks whether your CMP is serving TCF v2.2 (not the outdated 2.0), whether the event status is correct, and whether all 11 IAB purposes have consent recorded.

  • Detects v2.2 vs v2.0 — flags outdated policy version
  • Validates event status (useractioncomplete vs loaded)
  • Audits all 11 IAB consent purposes (P1–P11)
  • Shows vendor count and TC string presence
  • Score 0–100 with specific issues listed

Security headers + multi-page scanning

Six security response headers checked on every scan: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Multi-page scanning discovers URLs from your sitemap and runs pages in parallel.

  • Starter: 25 pages per scan | Pro: 100 pages per scan
  • Per-page score, critical/warning count, and consent banner status
  • Findings deduplicated across pages — one finding per unique violation
  • CNAME / server-side proxy detection flags first-party subdomains forwarding tracker traffic

Make compliance part of your deploy checklist.

One URL, 60 seconds, no installation. Know your compliance state before you push.

No signup required. Results in 60 seconds.