In order to add an in-product prompt or run a live website test, you need to connect your website to Maze. You’ll do this by installing a unique tracking code that allows Maze to run these features on your website.
For security reasons, we only allow live website testing tasks and prompts to be shown on pages where you’ve installed the tracking code.
In this article:
- Where do I find the tracking code?
- Where should I install the code?
- Can I install using a tag manager?
- Can I install through npm?
- How to install the tracking code
- Security and performance FAQs
Where do I find the tracking code?
The Maze tracking code is provided when following the setup instructions below. This tracking code is unique to each team.
After installing your first website, it can also be found at any time by clicking the Code snippet button in the Connected websites tab on the team settings (app.maze.co/team).
If you don’t have access to Maze, please ask a team member to share the code with you directly.
Where do I install the code?
You must install the Maze tracking code in each page that your testers will visit.
We recommend installing it immediately after the website’s opening
<head> tag, or as high in the
<head> as possible. Example:
<script>Maze script content</script>
<head> section loads and renders before the
<body> section. Therefore, installing the snippet right after the
<head> allows it to load and run earlier, resulting in faster loading, better loading, and reduced chance of errors.
Many times, you only need to add the code once to a global “layout”. But depending on your website, you might need to install it in multiple locations if using multiple layouts.
For instance, if you expect testers to navigate from a public landing page (e.g.
https://mywebsite.co) to an app (e.g.
https://dashboard.mywebsite.co), it’s likely that you’ll need to install the code in both locations.
You should note that, if users are forwarded to a third-party location where the snippet isn't installed (for instance, while logging in), you won't be able to view their behavior on those pages.
Can I install the snippet using a tag manager?
Installing the snippet using a tag manager, such as Google Tag Manager (GTM), is technically possible. The instructions in this article apply regardless of whether you hard-code the snippet on your website or use a tag manager.
In some cases, you might indeed rely on a tag manager to install scripts dynamically only if the end-user has given consent (usually in a cookie consent banner) in order to comply with the privacy laws applicable to you. Please note that it is your responsibility to ensure that the installation and usage of the Maze snippet comply with the obligations of your business and respective jurisdictions.
You should keep in mind that installing the code via tag manager may force testers to take an extra step before running a live website test. This may reduce the response rate. This happens because some popular ad block extensions block code snippets loaded via Google Tag Manager by default.
For this reason, a potential option we’d suggest would be to install the code snippet directly on your website.
Can I install through npm (Node Package Manager)?
No, Maze doesn't have an npm version of the tracking code.
Install the tracking code
To link your website to Maze:
- Ensure you’ve switched to the relevant team and open your Team settings.
- Navigate to the Connected websites tab.
- Click Connect a website.
- Enter your website name and base URL (e.g.
https://mywebsite.co, without including any subpages) and click Continue.
- To install the tracking code, you’ll need access to your website code. If you have access, select I have access to my website code and click Continue.
Alternatively, select I don’t have access to my website code to share this article with the website developer.
- Copy the tracking code and paste it immediately after your website’s
<head>. Once you’re ready, click Continue.
- Click Verify to confirm if the snippet is correctly installed on your website. Skipping the verification step prevents from loading on the website. To use the Prompts feature, ensure the code snippet is installed at the root of your website. During verification, our system automatically trims the path, storing and verifying only the root of the website.
- The website will be listed in the Connected websites tab.
- Repeat these steps for each website where you want to add an in-product prompt or a website test.
Security and performance FAQs
Will the Maze script slow down my website?
The Maze script is designed to have a very minimal impact on the performance of your website. It shouldn't take more than a few milliseconds to load, and this shouldn't be noticeable at all to your website users.
The Maze script loads asynchronously. Your website will continue to load while the Maze script is being executed.
This means that, even if the script fails to load (which is unlikely), your website will still continue to render as expected without the script.
The Maze tracking code you install on your website is used to dynamically run a loader that powers the testing on your website. The tracking code is less than 1KB.
The dynamic loader is less than 10KB and only runs in specific circumstances:
- the loader only runs if the API has a valid response;
- the API keys are only valid for each domain you configure;
- the code for either live website testing or the in-product prompt is only triggered if the destination site is opened on a new tab. If this first check is passed, we send a post message to the tab that opened the site, and attach an event listener to wait for the response. The rest of the live website testing code is only triggered if we get the proper response in the first minute. Otherwise, it will have no further impact.
If either of the conditions above is not met, the script is not loaded at all.
Content Delivery Network (CDN)
The dynamic loader is served by a Content Delivery Network (CDN).
A CDN is a distributed network of servers that delivers content based on a user's geographic location. It does this by storing copies of the content on servers located in different places around the world. When someone visits a website using a CDN, the content is delivered to their device from the server closest to them, reducing the distance it needs to travel and making it load faster.
Using a CDN allows us to serve the loader faster, more reliably, securely, and with reduced data usage.
The script uses session-based caching. The script is loaded only once, even when the user navigates through multiple pages.
Content Security Policy (CSP) directives
A Content Security Policy (CSP) is a security feature that helps protect websites from security threats and vulnerabilities. It does this by specifying the type of content (e.g. scripts, images, videos) that can be loaded on a website, and from which sources they can be loaded. This helps mitigate certain types of malicious attacks, such as cross-site scripting (XSS), clickjacking, and data injection attacks.
If you have a CSP implemented, you'll need to add a directive that allows files to be loaded from Maze in order to allow the Maze script to work on your website.
Default: If using a default CSP, we recommend adding the Maze domain as a trusted source in the default-src rules:
Stricter: If your organization requires stricter restrictions, we recommend the settings below:
script-src https://*.maze.co/ font-src https://*.maze.co/ style-src https://*.maze.co/ connect-src https://*.maze.co/ img-src https://*.maze.co/
Strictest: If your CSP requires additional granularity, the following are the minimum rules required for the Maze script to work. Please note that this list is subject to change as this feature evolves. In that case, you'll need to update your CSP directives so that the snippet can continue to work.
script-src https://snippet.maze.co/ font-src https://snippet.maze.co/ style-src https://snippet.maze.co/ img-src https://snippet.maze.co/ connect-src https://api.maze.co/ https://prompts.maze.co/
What measures are in place to ensure the security of the script?
Any changes to the script are subject to Maze’s change control policy.
Access to code changes is restricted to authorized employees only. All changes must go through code review and testing before deployment.
The script is hosted as part of our general platform infrastructure, with access restricted to authorized employees.
Is the script open-source?
The Maze tracking script is closed-source. By keeping the source code closed, Maze controls how the script is developed and distributed.
What data does Maze collect from my testers?
Is there any tracking in place for general website visitors?
If your website visitors are not being targeted by an in-product prompt or live website test, no information or data will be collected from those users.
Still need help?
If you have any questions or concerns, please let our Support team know — we'll be happy to help!