Head Script Privacy

  • 7 September 2023
  • 2 replies

Since the script is just pasted into the head of our code, that is client side information thus a potential to be copied and misused. I have read a lot on your website about how you protect privacy and data security on your platform but nothing regarding the actual code snippet.

2 replies

Userlevel 5

Hi @MerelJac! Thanks for reaching out, and welcome to the Community. You’re correct–the FullStory snippet is installed client-side. We don’t commonly see issues where users copy scripts, but I do have some tips for you to help mitigate this nonetheless. 

  • First, create a metric grouped by URL Host to monitor domains captured in your FullStory account. Here’s a short video that walks you through this!
  • If you see any domains that shouldn’t be there, update your Data Capture settings to block them
  • After they’re blocked, FullStory’s Support Team can help with deleting any sessions captured from the rogue domain. 
Badge +2

Hi @MerelJac, one of my recommendations is to only allow FullStory to capture on the domains your team defines and disable the “All other domains option” as described in this FullStory help article.

As Megan noted this isn’t a common issue but limiting the capture to specific domains will give you the confidence that the script won’t run if deployed maliciously.