ConsentFlow — Embed Guide

Your embed code

Paste as the first script in <head>. That's it.

<script src="/loader.js?key=YOUR_SITE_KEY" data-cf-ignore="true"></script>

Get your key instantly when you sign up — no domain setup required.

WordPress (recommended)

Download the official plugin — it injects the loader first in <head>, excludes WP Rocket / optimizers, and reports your script queue for scanning.

Download WordPress plugin

Plugins → Add New → Upload Plugin → activate
Settings → ConsentFlow → paste your server URL and site key from the dashboard
Remove manual embeds from HFCM / theme header; deactivate other cookie banner plugins
Clear WP Rocket and CDN cache

Bulletproof checklist

First in <head> — before GTM, analytics, or any tracker
WordPress — use the plugin (injects at priority -9999 + reports WP script queue)
Webflow — paste in Head Code, publish, then visit the live site once
Privacy links — add URLs in dashboard Settings (or let auto-scan pull them)
After policy changes — bump Policy Version in Settings to force re-consent
CSP sites — inline scripts get the page nonce automatically; optional <meta name="csp-nonce" content="...">
IAB TCF — set your registered CMP ID in Settings (GVL cached on your server)
Verify — dashboard Scanner tab should show Healthy + tracker count

Triple-layer detection

Server crawl — sitemap + up to 20 pages, retries on failure
Live browser — embed reports scripts & cookies from real visitors (GTM, SPA)
WordPress plugin — reports enqueued scripts from PHP (optional but recommended)

Tag or ignore your scripts

In strict regions (GDPR, California / CIPA), unknown scripts are blocked until consent. Mark your own code:

Always run — data-cf-ignore="true" on your app JS and the ConsentFlow loader
Essential — data-consent="essential" on login, cart, security scripts
Wait for consent — type="text/plain" data-consent="analytics" (or marketing, preferences) on trackers

<script src="/assets/app.js" data-cf-ignore="true"></script>
<script type="text/plain" data-consent="analytics" src="https://www.googletagmanager.com/gtag/js?id=G-XXX"></script>

Compliance built in

Accept / Reject / Manage preferences on every banner
Geo mode: GDPR + CIPA (CA) prior consent, CCPA opt-out elsewhere, GPC honored
California (CIPA): scripts, pixels, iframes, fetch/beacons blocked until authorized consent
Google Consent Mode v2 + Microsoft UET + IAB TCF 2.2
Consent audit CSV export from Analytics tab

← Dashboard · Live demo