Native one-click integration — Cloudflare rewrites requests at the edge automatically
The HTML on this page loads from www.googletagmanager.com/gtm.js — the same URL every website uses. An ad blocker would normally kill this request here.
Because you completed the "Add CDN → Cloudflare" wizard inside GTM Admin, Google's API wrote a Cloudflare Worker rule on your behalf. That rule catches the request before it ever leaves Cloudflare's network.
The Worker maps the incoming request to data-gateway.site/metrics/gtm.js internally and fetches the GTM script on the user's behalf. No third-party hostname ever reaches the browser's network log.
The browser receives the script as if it came from data-gateway.site. Ad blockers see a first-party request and do nothing. GTM fires, tags fire, analytics data lands in GA4.
Subsequent network requests to www.google-analytics.com/g/collect are likewise intercepted and proxied through your Cloudflare edge — no direct browser-to-Google connection.
The snippet below uses the completely standard Google URL. There is nothing custom about it — the magic is entirely in Cloudflare, not in this file.
<!-- Consent defaults — must run BEFORE GTM -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
'analytics_storage': 'granted',
'ad_storage': 'granted'
});
</script>
<!-- Standard GTM snippet — Cloudflare intercepts and proxies this -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;
f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KSWQ3CCC');</script>
<!-- Key difference: the URL above is STANDARD Google.
Approach 2 uses: https://metrics.data-gateway.site/gtm.js (manual subdomain)
Approach 3 uses: https://metrics.data-gateway.site/gtm.js (Cloud Run server)
Approach 1 uses: https://www.googletagmanager.com/gtm.js (Cloudflare rewrites it) -->
This test fetches gtm.js using the standard Google URL and reads back the
actual URL the response came from. On the live site, Cloudflare intercepts
the request so the resolved URL will be data-gateway.site/… — not Google.
Locally there is no Cloudflare in the path, so you will see the Google domain directly.
gtm.js → refresh the page.data-gateway.site) you will see the request resolve from
data-gateway.site/metrics/… even though the HTML says googletagmanager.com.
That gap is the Tag Gateway intercepting in real time.googletagmanager.com directly — that is correct behaviour.
Deploy to Cloudflare Pages first, then run the test.
Click either button to push an event to the dataLayer. GTM picks it up and sends a GA4 hit through the first-party Cloudflare proxy — not directly to Google's servers.
| Approach | What it is | Setup effort | Best for |
|---|---|---|---|
| 1 — Tag Gateway | Cloudflare Worker injected by Google's API automatically | 5 min — no code changes | Google ecosystem clients on Cloudflare who want a fast, free, zero-maintenance solution |
| 2 — Manual CDN | Custom reverse-proxy rules you write on the CDN edge | 1–2 hrs — write Worker/Page Rules | Any CDN, full URL control, non-Google vendors, CDNs without a native Google partnership |
| 3 — sGTM | Dedicated Cloud Run server you own and operate | Half a day — GCP + Load Balancer | Enterprise. Total data control, payload enrichment, server-to-server (Facebook CAPI, etc.) |