To add an in-product prompt or run a live website test, you need to connect your website to Maze. You’ll do this by installing a unique tracking code that allows Maze to run these features on your website.
For security reasons, we only allow live website testing tasks and prompts to be shown on pages where you’ve installed the tracking code.
In this article:
- Flowchart
- Where do I find the tracking code?
- Where should I install the code?
- Can I install using a tag manager?
- Can I install through npm?
- How to install the tracking code
- Security and performance FAQs
Flowchart
Where do I find the tracking code?
The Maze tracking code is provided when following the setup instructions below. This tracking code is unique to each team.
After installing your first website, it can also be found at any time by clicking the Code snippet button in the Connected websites tab on the team settings (app.maze.co/team).
If you don’t have access to Maze, please ask a team member to share the code with you directly.
Where do I install the code?
You must install the Maze tracking code in each page that your testers will visit.
We recommend installing it immediately after the website’s opening <head>
tag, or as high in the <head>
as possible. Example:
<head>
<script>Maze script content</script>
head content
</head>
<body>
body content
</body>
The <head>
section loads and renders before the <body>
section. Therefore, installing the snippet right after the <head>
allows it to load and run earlier, resulting in faster loading, better loading, and a reduced chance of errors.
Many times, you only need to add the code once to a global “layout”. But depending on your website, you might need to install it in multiple locations if using multiple layouts.
For instance, if you expect testers to navigate from a public landing page (e.g. https://mywebsite.co
) to an app (e.g. https://dashboard.mywebsite.co
), you’ll need to install the code in both locations.
You should note that if users are sent to a third-party location where the snippet isn't installed (for instance, while logging in), you won't be able to view their behavior on those pages.
Can I install the snippet using a tag manager?
Installing the snippet using a tag manager, such as Google Tag Manager (GTM), is technically possible. The instructions in this article apply regardless of whether you hard-code the snippet on your website or use a tag manager.
In some cases, you might indeed rely on a tag manager to install scripts dynamically only if the end-user has given consent (usually in a cookie consent banner) in order to comply with the privacy laws applicable to you. Please note that it is your responsibility to ensure that the installation and usage of the Maze snippet comply with the obligations of your business and respective jurisdictions.
You should keep in mind that installing the code via tag manager may force testers to take an extra step before running a live website test. This may reduce the response rate. This happens because some popular ad block extensions block code snippets loaded via Google Tag Manager by default.
For this reason, a potential option we’d suggest would be to install the code snippet directly on your website.
Can I install through npm (Node Package Manager)?
No, Maze doesn't have a npm version of the tracking code.
Install the tracking code
To link your website to Maze:
- Make sure you’ve switched to the relevant team and open your Team settings.
- Navigate to the Connected websites tab.
- Click Connect a website.
- Enter your website name and base URL (e.g.
https://mywebsite.co
, without including any subpages) and click Continue.
- To install the tracking code, you’ll need access to your website code. If you have access, select I have access to my website code and click Continue.
Alternatively, select I don’t have access to my website code to share this article with the website developer.
- Copy the tracking code and paste it immediately after your website’s
<head>
. Once you’re ready, click Continue.
- Click Verify to confirm if the snippet is correctly installed on your website. Skipping the verification step prevents prompts from loading on the website. To use the Prompts feature, make sure the code snippet is installed at the root of your website. During verification, our system automatically trims the path, storing and verifying only the root of the website.
- The website will be listed in the Connected websites tab.
- Repeat these steps for each website where you want to add an in-product prompt or a website test.
Security and performance FAQs
Will the Maze script slow down my website?
The Maze script is designed to have a very minimal impact on the performance of your website. It shouldn’t take more than a few milliseconds to load, and this shouldn’t be noticeable at all to your website users.
Asynchronous loading
The Maze script loads asynchronously. Your website will continue to load while the Maze script is being executed.
This means that, even if the script fails to load (which is unlikely), your website will still continue to render as expected without the script.
Dynamic loading
The Maze tracking code you install on your website is used to dynamically run a loader that powers the testing on your website. The tracking code is less than 1kb.
The dynamic loader is less than 10kb and only runs in specific circumstances:
- The loader only runs if the API has a valid response;
- The API keys are only valid for each domain you configure;
- The code for either live website testing or the in-product prompt is only triggered if the destination site is opened in a new tab. If this first check is passed, we send a post message to the tab that opened the site, and attach an event listener to wait for the response. The rest of the live website testing code is only triggered if we get the proper response in the first minute. Otherwise, it’ll have no further impact.
If either of the conditions above are not met, the script isn’t loaded at all.
Content Delivery Network (CDN)
The dynamic loader is served by a Content Delivery Network (CDN).
A CDN is a distributed network of servers that delivers content based on a user’s geographic location. It does this by storing copies of the content on servers located in different places around the world. When someone visits a website using a CDN, the content is delivered to their device from the server closest to them, reducing the distance it needs to travel and making it load faster.
Using a CDN allows us to serve the loader faster, more reliably, securely, and with reduced data usage.
Session-based caching
The script uses session-based caching. The script is loaded only once, even when the user navigates through multiple pages.
Content Security Policy (CSP) directives
A Content Security Policy (CSP) is a security feature that helps protect websites from security threats and vulnerabilities. It does this by specifying the type of content (e.g. scripts, images, videos) that can be loaded on a website, and from which sources they can be loaded. This helps mitigate certain types of malicious attacks, such as cross-site scripting (XSS), clickjacking, and data injection attacks.
If you have a CSP implemented, you’ll need to add a directive that allows files to be loaded from Maze to allow the Maze script to work on your website.
Default: If using a default CSP, we recommend adding the Maze domain as a trusted source in the default-src rules:
default-src https://*.maze.co/
Stricter: If your organization requires stricter restrictions, we recommend the settings below:
script-src https://*.maze.co/ font-src https://*.maze.co/ style-src https://*.maze.co/ connect-src https://*.maze.co/ img-src https://*.maze.co/ frame-src https://*.maze.co/
Strictest: If your CSP requires additional granularity, the following are the minimum rules required for the Maze script to work. Please note that this list is subject to change as this feature evolves. In that case, you’ll need to update your CSP directives so that the snippet can continue to work.
script-src https://snippet.maze.co/ font-src https://snippet.maze.co/ style-src https://snippet.maze.co/ img-src https://snippet.maze.co/ connect-src https://api.maze.co/ https://prompts.maze.co/ frame-src https://t.maze.co/
What measures are in place to guarantee the security of the script?
Change control
Any changes to the script are subject to Maze’s change control policy.
Access to code changes is restricted to authorized employees only. All changes must go through code review and testing before deployment.
Hosting
The script is hosted as part of our general platform infrastructure, with access restricted to authorized employees.
To learn more about the steps Maze takes to keep your data safe, please check out maze.co/security and compliance.maze.co.
Is the script open-source?
The Maze tracking script is closed-source. By keeping the source code closed, Maze controls how the script is developed and distributed.
What data does Maze collect from my testers?
You can learn more in our Privacy Policy.
Is there any tracking in place for general website visitors?
If an in-product prompt or live website test isn’t targeting your website visitors, no information or data will be collected from those users.
What should I consider regarding Privacy Policy requirements when engaging with a website test or a prompt?
You’re responsible for the policies that govern your website and domain—i.e. traffic and journeys directly to your webpages.
Maze’s policies apply when participants interact directly with our endpoints—i.e. when they open a test directly on t.maze.co.
Therefore:
- Website tests: The journey begins at Maze (t.maze.co), and at this point, Maze’s Privacy Policy and Terms of Service are applicable. Once users are redirected to your website as part of the test, your own policies come into effect.
- In-product prompts: For in-product prompts, the journey begins on your website, where your own respective policies apply. If the user is redirected to a Maze test at t.maze.co, or interacts with the Maze widget, then Maze’s policies become applicable.
Still need help?
If you have any questions or concerns, please let our Support team know — we'll be happy to help!