Step 1 — Pre-flight Check

Before you touch any code, confirm three things: your customer ID, your consent setup, and whether your site uses a Content Security Policy.

---

1.1 Your fraud0 customer ID (cid)

Log in to your fraud0 Dashboard and copy the cid shown in the Implementation tab. Every code snippet in this guide uses this value wherever you see {{fraud0 cid}}.

---

1.2 The most important rule

fraud0 must fire independent of any consent mechanism

A real visitor can choose to reject cookies or tracking. A bot does not — bots either skip consent banners entirely or click Reject all indiscriminately. If the fraud0 script only fires after a consent decision, the bot population fraud0 sees is exactly zero, and bot detection effectively does nothing.

Legal basis: In the EU, fraud detection runs under legitimate interest (Art. 6 lit. f GDPR) and the technical-necessity exception (§25 II 2 TTDSG). See the Data Processing Agreement for the full legal write-up.

---

1.3 How is your site set up today?

Answer these four questions — they determine which embed path is right for you in the next step.

	Question	Notes
Q1	Is there a Consent Management Platform (CMP) on the site?	If no CMP, any embed path works. If yes, continue.
Q2	Does the GTM container load before the CMP banner is interacted with?	”Before” = the <script> for googletagmanager.com is in the <head> and runs unconditionally.
Q3	Do you operate a Server-Side GTM (SGTM) endpoint on your own domain?	”Yes” = GTM library is loaded from tagmanager.yourdomain.com or similar, not directly from googletagmanager.com.
Q4	Does your website enforce a Content Security Policy script-src directive?	If yes, you will need to allow-list the fraud0 host (see 1.4 below).

Your answers determine which option to choose in Steps 2–3.

---

1.4 Content Security Policy — extend it if you have one

If your site sends a Content-Security-Policy header (or <meta http-equiv="Content-Security-Policy">) with a script-src directive, the fraud0 script will be blocked unless the host is allow-listed.

How to check: Open browser DevTools → Network tab → reload the page → inspect the document response headers. If you see a Content-Security-Policy header with a script-src directive that is not * or unsafe-inline-everything, you have one.

Add https://api.fraud0.com to your script-src:

script-src ... https://api.fraud0.com;

If you also have connect-src or img-src directives, allow the same host there:

connect-src ... https://api.fraud0.com;
img-src     ... https://api.fraud0.com;

Existing customers on bt.fraud0.com

Keep https://bt.fraud0.com allow-listed during the transition period. New implementations should only use api.fraud0.com.

For more detail on CSP errors, see the FAQ article on Network Status “blocked: CSP”.

---

Once you have your cid and know your setup, continue to the next step.

Steps 2–3 — Implement the fraud0 Tag Choose your embed path and implement the Main Tag.

---

Note

Do you still have questions or require further details? Contact our support team: support@fraud0.com