Minify code to increase security and performance

I noticed that the code we write in tag manager isn’t minified.

And even worse:

• all the comments in the files
• names of tags
• names of variables

are all exposed to the visitor.

For me this is a real issue.

• It is a potential security issue, because internally intended business information is publicly exposed.
• It is also a performance issue, because a lot of useless information is available in the script file

To give you an example, I have compared the container files from Piwik and GTM:

• GTM: 197KB
• Piwik: 280KB

(I’m not using consent manager)

Questions:

• For Piwik: Are there (short term) plans to fix this? Especially removing comments and internal namings from the script file?
• For community: how do you handle this?

It is simple: I recommend never to send internal information from client side tag manager.

But that’s the whole idea of a tag management solution. Manage your tags in there and add them as optimised as possible to the frontend.
Isn’t it?
The added value get’s lost when I have to add another solution in between where I manage the readable version of the code with comments etc.

Hi @rmeekers

As @Mikko_Piippo mentions, you should never use any application directly tied to analytics data to handle sensitive business information, as this could easily lead to serious breach of GDPR-compliance.

If you insist on doing this, make sure to at least make sure it is encrypted and non-traceable.

We handle a lot of sensitive information on our site. I’m not an expert on this particular topic on our site (this is our developers responsibility), but I know we use excrypted api-data to handle this in our application, not Piwik Analytics.

If that’s not an option, you might want to look at true Business Intelligence tools like Tableau, QlikView, Salesforce or other BI-tools maybe satisfy your needs?

Br.
Martin

I think there is a misunderstanding here. I’m not talking about PII information or other GDPR related information.
But in software development you add comments to your code. No?
Those comments are meant for developers (company internals) and should thus not end up on the frontend. And that’s exactly what is happening here.
Most comments are probably okay to be exposed, but from a hacker perspective, comments are often very useful to help them finding security leaks. And that’s why I am saying that they should not end up on the frontend.

@rmeekers

Fair enough, I can see how I misunderstood your question.

With that being said, I think my original point still stands. Any sensitive information should never be handled in the codebase. We have a bunch of comments in our codebase, but these are novel instructions.

We use Jira and Confluence to document how our code works. Pretty much a comprehensive library of information which is intended to help new developers learn the inner workings of our codebase.

Hope it helps!

It helps, but I don’t agree. You only focus on the security part of my question. I can accept that we don’t agree there.

But for me, this is really basic functionality of a tag management system: optimising code in terms of size and execution.

Hi, thanks for the suggestion. I am adding a feature request to the backlog.

Minifying won’t significantly affect a container performance. Difference will be unnoticable. In some cases it may even have a negative impact.

The difference between GTM and Piwik PRO container size is a result of a different approach. We already have in the backlog tasks related to optimization.

thanks @Maciej_Kowcun. Is there a roadmap you can share with us so we have an idea about what’s coming?

Unfortunately, there is no roadmap I can share with you.