DataUnlocker Protection
DataUnlocker Protection shields your analytics and marketing tags from blockers and privacy tools. It consists of two main parts:
- Protection Modes: A global switch to control how strictly DataUnlocker enforces protection.
- Network Protection: A configuration panel to define which resources (domains and services) are protected.
Protection Modes
Protection Modes allow you to choose the level of enforcement for DataUnlocker's protection features, including Defender and Network Protection. You can change the mode at any time from your domain's dashboard in the DataUnlocker Admin.
Here are the available modes:
| Mode | What it does | When to use |
|---|---|---|
| Full | Enables all JavaScript hardening and end-to-end network request protection. If DataUnlocker is tampered with or its protected routes fail, your app enters Limited Mode. | Mature rollouts and blocker-heavy audiences; properties where analytics accuracy is business-critical. |
| Light | Keeps JavaScript protection on but skips end-to-end network request enforcement. Network failures will not trigger Limited Mode. | Intermediate rollouts; when you want the benefits of Defender and proxying but prefer not to interrupt the app on transient network failures. |
| Failsafe | Applies network and JavaScript protections but will not activate Limited Mode due to blocking, network issues, or validation errors. | First-day production rollouts; stakeholder sign-off phases; smoke-testing on large sites. |
| Disabled | Does not patch browser APIs and does not proxy analytics traffic. The initial handshake still loads to deliver Secure Enclave code, but DataUnlocker remains passive after that. | Emergency switch while investigating issues; A/B comparisons in production. |
Rollout Playbook
We recommend a staged rollout to ensure a smooth and safe deployment:
- Start with Failsafe: Install Defender, configure your Transport Endpoint, and enable relevant Resource Groups (e.g.,
google,meta,tiktok) in the Network Protection settings. Let it run for a few days. - Watch your dashboard: In the DataUnlocker Admin, review your domain's dashboard for:
- Proxied services and request volumes.
- Defender → Limited Mode candidates: Check if any users would have entered Limited Mode under stricter settings.
- Network errors on your Transport Endpoint.
- Move to Light: If the Failsafe run looks stable, switch to Light mode. This enables full protection without the risk of Limited Mode from transient network issues.
- Go Full: Once you are confident in the stability and coverage, switch to Full mode. At this stage, your analytics are tightly coupled with your application and become effectively unwirable.
You can switch between modes instantly in the DataUnlocker Admin. If you need assistance, contact us via the support email in your dashboard or on Telegram.
Network Protection Configuration
Network Protection is where you define what to protect. Here, you can enable protection for specific domains or use pre-configured Resource Groups to protect common services like Google Analytics, GTM, Meta Pixel, and more.
DataUnlocker routes traffic for these resources through your Transport Endpoint, making them resistant to network and ad blockers.
How it works
When a resource is enabled in your Network Protection configuration, DataUnlocker's Defender (running in the user's browser) will route any network requests to that resource through your secure Transport Endpoint.
The level of enforcement for this protection is determined by the global Protection Mode you have selected.
Setting up Network Protection
- Navigate to the Network Protection section in your domain's dashboard.
- Enable the Resource Groups for the services you use (e.g.,
google,meta,tiktok). - If you have custom or self-hosted services that need protection, add their domains (or paths, for first-party network requests protection) to the list.
- Click Apply to save the configuration.
Resource Groups
Resource groups are pre-defined collections of domains for popular third-party services. Using them is the easiest way to protect a service, as DataUnlocker maintains the list of all associated domains.
If you need to protect a service not covered by a resource group, you can add the relevant domains manually.
End-to-end Request Protection
End-to-end protection is a feature of Full mode that cryptographically validates each proxied network request. It ensures that requests cannot be tampered with between the browser and the destination server.
When enabled, Defender attaches a temporary, single-use validation token to each request. This makes it extremely difficult for even the most advanced blockers to identify and interfere with your analytics traffic based on network patterns. In Light and Failsafe modes, this strict validation is disabled to prevent triggering Limited Mode on network failures.
FAQ
Will SEO be affected? No. DataUnlocker only affects the analytics and API requests you choose to protect. It does not modify HTML rendering or interfere with search engine crawlers.
What is the performance impact? It depends on your own proxy in front of DataUnlocker. Proxy latency to Cloudflare endpoints is typically a few milliseconds, and DataUnlocker's proxy network runs on Cloudflare's global edge.
Does this replace server-side tagging (e.g., ssGTM)? No, but it complements it. Server-side tagging alone does not stop ad blockers from blocking the initial data collection in the browser. DataUnlocker ensures that data reaches your server-side container in the first place.