Tracking Update: Tracking Secret

Tracking Secrets allow Advertisers to benefit from enhanced security through the use of cryptographic algorithm signatures.

Tracking Updates

To enhance the security of our tracking we recently made some updates to the way we track to ensure that all transactions are verified and accurate between your shopping cart software and our tracking platform.

What does this update do?

This update adds the functionality of a secret key to all reported transactions generated on your site.

To implement security signatures, you use a cryptographic algorithm called HMAC-SHA1, using a secret key that only you and Commission Factory know. As long as this secret key remains a secret, malicious attackers will not be able to generate valid signatures. Even if an attacker can see a valid signature, they cannot work backwards to determine the original secret key because HMAC-SHA1 is a one-way algorithm.

To help keep the secret key a secret, ensure that you only ever store and use it in server-side code. Generate signatures in server-side code using the secret key and then send only the generated signatures to the web browser. Never generate signatures in client-side code running in the web browser, and never send the secret key to the web browser for any reason.

What is Client-Side Code?

Client side code means that code runs within the browser. This is not secure as a malicious attacker can monitor and see what happens in the browser. Server-side code means the algorithms and functionality all happen on your server - away from prying eyes.

Currently Google Tag Manager runs client side code and will expose your secret key to any bad actor.

We are currently exploring a workaround for Google Tag Manager and will advise our clients if/when we can make an update available.

Why is this update being implemented?

A malicious attacker could send transaction notifications to Commission Factory that look legitimate, even for orders that do not exist.

While it is always good practice to validate transactions in your advertiser account, you can prevent this problem by implementing a security signature as part of your tracking.

Once you have implemented security signatures, your account will be configured to require them for all transaction notifications, in which case invalid transaction notifications would be ignored.


If you're using shopping cart plugins or apps for your Commission Factory integration, these plugins have already had the necessary updates applied to increase the security on your tracking. Some plugins will update automatically and others you may need to manually update them.

Custom Shopping Cart and Other

Instructions for implementing your tracking can be found within the platform under Settings > Tracking Setup.

Follow the instructions provided in the platform to update your tracking to the latest version that includes the new security enhancements.