Install Self Hosted Version
How to integrate your website with Safary script (self-hosted version)
Last updated
How to integrate your website with Safary script (self-hosted version)
Last updated
To integrate your website with Safary, you need to update the front-end (HTML code) of the website you want to track.
To prioritize your site's security, Safary suggests adding our script's code in your site (i.e. self hosting it) instead of pointing to another domain to serve the code - this way you will not need to allow cross-domain scripts in your page.
First, once you have signed up, go to your Safary's home page () and you will see under "Integrate Safary snippet" some code starting with <script product="prd_
For example, you should see something like:
Now click on the copy icon on the left of the code to copy the contents of the tracking script
Go to your front-end's HTML code, and simply paste (CTRL+V or CMD+V) the script's code within the <head> … </head> tags of the pages you want to have tracking enabled.
For example, we suggest adding at least to both your landing page and your "app" page, which would have a "connect wallet" functionality.
That's it. Your Safary tracking script code will look something like this in your page:
If your site has Content Security Policy (CSP) enabled, you need to add the hash of the code above.
"If you have a Content Security Policy (CSP) in your service - optional"
Click on that title to expand it, and you will see something like:
Finally, you need to add the directives in the place you implement CSP, which can vary.
For example, if you use Node.js with the Helmet package in your backend to setup CSP, the code above is exactly the one to be pasted in your backend.
On the other hand, if your CSP is setup using a <meta> tag in the front-end to include the policy, you can still use the hash in the <meta> tag. For example, using the hash above:
Safary prioritizes security within the tracking script's infrastructure and has been implementing a number of security features. Below we give a few examples of what we have added (and we will continue to reinforce our security and add more features as we move forward).
Our tag.safary.club domain has DNSSEC enabled with an authentication chain of trust and digitally signed DNS records.
We enforce HSTS (HTTP Strict Transport Security) to protect visitors by ensuring that their browsers always connect to our domain over HTTPS.
Our web server automatically redirects visitors from HTTP to HTTPS on the same domain.
Our servers supports only secure TLS versions and also only the most up-to-date secure ciphers with enforcement of cipher order.
We include security headers in order to activate browser mechanisms to protect visitors against attacks involving, for example, cross-site scripting (XSS) or framing.
Our server is behind a firewall that explicitly blocks any path, body size, address or input that is different from the expected. The firewall also enforces important rules managed by AWS.
Our web server supports secure parameters for Diffie-Hellman key exchange and a secure hash function for key exchange. Moreover, we do not allow for client-initiated renegotiation.
We do not support HTTP nor TLS compression.
The trust chain of our website's certificate is complete and signed by a trusted root certificate authority.
All IP addresses of our web server have a route announcement that is matched by the published route authorisation (RPKI), which protects against various unintentional or malicious route configuration errors.
Our script sanitizes every string used in the front-end, avoiding code injection and related attacks.
With transparency, security and privacy in mind, the complete code of our Safary script will be made public, as our script will be open sourced in the next coming weeks.
In the meantime, below we share the source code of our Safary script in a single Typescript file, currently in version 0.1.13.
In Safary's home page (), you will see under "Integrate Safary snippet", a small section with the title:
Now you can click on the copy icon on the left to copy the contents of the policy.
