What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

The Hidden Dangers of Google Tag Manager

Google Tag Manager is sold as a productivity win. Give the marketing team control over their own tracking scripts, remove the development bottleneck, ship faster. On the surface that sounds reasonable. In practice, it hands non-technical users a direct line into your website's JavaScript execution environment, with no code review, no security vetting, and no audit trail that your engineering team will ever see.

What GTM Actually Does

When you install GTM, you are placing a small loader script on every page of your site. That script then reaches out to Google's servers and downloads whatever tags your GTM container is configured to fire. Those tags can be anything: analytics libraries, ad pixels, session recording tools, chat widgets, A/B testing frameworks, or entirely custom HTML blocks containing arbitrary JavaScript.

The critical point is that once the GTM container snippet is on your site, anyone with access to that GTM workspace can push new JavaScript to your production website without a single line of code going through your repository or your deployment pipeline. There is no pull request, no peer review, no staging environment check unless you have deliberately put those guardrails in place yourself - and most teams have not.

The Security Problem

Every script tag added through GTM is executed with full access to the page's DOM, cookies, and any data your application makes available through the data layer. A poorly configured third-party pixel can exfiltrate form data. A compromised vendor whose script you load via GTM can inject malicious code into your users' browsers. A well-intentioned but careless tag can inadvertently expose session tokens or personal information to external domains.

This is not a theoretical risk. Supply chain attacks via tag managers have been used in a number of high-profile payment skimming campaigns, where attackers compromise a third-party analytics vendor and use that access to push credential-harvesting scripts to thousands of websites simultaneously. Your Content Security Policy, carefully crafted to restrict which domains can execute scripts, is largely undermined the moment you include a tag manager that can dynamically load from any origin.

The Magecart attacks are the most cited example, but the underlying mechanism - trusted third-party script injection - is exactly what GTM makes trivially easy for your own internal teams to replicate accidentally. A marketer copies a tag template from a vendor's onboarding doc and pastes it in. Nobody checks what that script actually does. It goes live within minutes.

The Performance Problem

GTM containers have a habit of growing over time. A tag gets added for one campaign, then forgotten. Another goes in for a tool you evaluated but never adopted. A third fires on every page when it should only fire on checkout. Because there is no friction to adding tags, and removing them requires someone to remember they exist, most mature GTM containers are carrying significant dead weight.

Each tag represents additional network requests, additional JavaScript parsing, and additional execution time. Session recording tools in particular - Hotjar, FullStory, Microsoft Clarity - are significant scripts that capture and replay user interactions. They are not cheap to run in terms of page performance, and their data collection practices deserve careful scrutiny before you load them on every page of your application.

Google's own Core Web Vitals metrics penalise slow pages, which is somewhat ironic given that Google also provides the tool most often responsible for degrading those metrics. Long Tasks caused by tag manager payloads are a common culprit behind poor Interaction to Next Paint scores.

The Governance Problem

When a developer adds a dependency, it appears in package.json. It gets reviewed. It gets discussed. It can be audited against known vulnerability databases. When a marketer adds a tag in GTM, it appears nowhere in your codebase. There is no diff. There is no record in your version control history. If something breaks or data leaks, correlating the GTM change to the incident requires access to GTM's own change log - assuming you even think to look there.

This matters particularly under GDPR and UK data protection law. If a tag added to your GTM container is sending user data to a third party in a way you have not disclosed in your privacy policy, your organisation carries that liability. The fact that a marketer added it without telling the engineering team is not a defence.

What a Better Approach Looks Like

The goal is not to remove your marketing team's ability to iterate quickly. It is to ensure that iteration happens within boundaries your engineering and security teams have approved. A few practical steps make a significant difference:

Treat GTM workspaces like production access. The same person who cannot push directly to your main branch should not have unrestricted publish rights in GTM. Require approval workflows for container changes.
Implement a Content Security Policy. A strict CSP will limit the damage a rogue or compromised tag can do. It will not prevent the tag from loading, but it will restrict what domains it can communicate with.
Audit your container regularly. Export the container JSON and review what is in it. Remove tags for tools you no longer use. Confirm that firing rules are appropriately scoped.
Use server-side GTM for sensitive pages. Server-side tagging moves script execution off the user's browser and onto infrastructure you control. It adds complexity but dramatically reduces the attack surface.
Consider whether GTM is the right tool at all. For applications where performance and security are critical, loading analytics and marketing scripts directly in your application code - with full version control and review - may be a better trade-off than the flexibility GTM provides.

The Broader Principle

GTM is a well-designed tool for the problem it is solving. The issue is not with Google Tag Manager itself but with the assumption that non-technical access to your production JavaScript environment is a safe default. It is not. Every script that runs on your website is your responsibility, regardless of who added it or through what mechanism.

If your team is grappling with how to balance marketing velocity against security and performance standards, or if you are concerned about what your current GTM container is actually doing, we are happy to talk through your specific situation. Get in touch with the team.