Exclude internal traffic — Keep your team out of analytics

TL;DR: Internal team traffic skews bounce rate, conversion rate, and MER. Admaxxer ships four ways to exclude it: (1) the canonical admaxxer_optout=1 cookie set via /opt-out — one click, persists 1 year per device per browser; (2) the Admaxxer-DoNotTrack: 1 HTTP header for reverse-proxy / VPN setups; (3) the browser DNT signal automatically honored by script.cookieless.js; (4) gating the snippet on environment so dev/staging never load the pixel. Bot + automation UAs are filtered automatically client-side AND server-side — you don't need to do anything for headless tests, Lighthouse, or crawlers.

Why it matters

Internal traffic looks identical to real traffic from the analytics layer's perspective — same browser, same IP if you're remote, often the same DTC funnel. Left unchecked it inflates pageviews, depresses conversion rate (your team rarely checks out for $99 to test pricing), and pollutes MER + cohort LTV with non-revenue sessions. A 5-person remote team browsing the site daily can easily generate 10–20% of measured traffic on a small site.

Concrete impact:

Bounce rate goes up. You and your team click around, see what you came for, and leave — that's a bounce by definition. Your real audience reads more.
Conversion rate goes down. Internal traffic almost never converts; adding it to the denominator makes your funnel look worse than it is.
MER (revenue / spend) gets noisy. Internal pageviews don't generate revenue but they DO get attributed to whatever traffic source you came in from (often direct). Over a quarter this drags blended MER down.
Cohort LTV gets diluted. Internal "users" with zero LTV depress the average for whatever cohort they fall into.
AI agent gets distracted. When the Maxxer agent answers "why did conversion drop last week?", a spike in internal traffic looks identical to a real campaign anomaly — the agent has to spend tokens ruling it out.

Four methods, ranked by recommendation

Pick based on your team's setup. The cookie method works for everyone. The header method is best for centralized opt-out at the gateway level. DNT is automatic if you use script.cookieless.js. Snippet-gating works when dev/staging environments are clearly separated.

Method	Setup time	Per-device	Survives cache wipe	Best for
1. `admaxxer_optout` cookie	~30 seconds per browser	Yes	Yes (1y cookie)	Most teams — every staff member sets once per browser
2. `Admaxxer-DoNotTrack` header	One-time reverse-proxy rule	No (gateway-level)	N/A	Office VPN / reverse-proxy setups, employee subnet
3. Browser DNT (auto-honored)	Per-browser browser setting	Yes	Yes	Privacy-tight orgs already running `script.cookieless.js`
4. Snippet-gating on environment	One-time code change	No	N/A	Dev / staging / preview deploys you never want tracked

Method 1 — `admaxxer_optout` cookie (canonical)

The official, cross-method, every-script-variant-respects-it approach. Each team member opens https://admaxxer.com/opt-out in every browser they use to visit your site. The page sets a 1-year SameSite=Lax cookie scoped to admaxxer.com; the pixel reads this cookie before booting and immediately exits if found. The server-side ingest endpoint also rejects events from any request carrying the cookie — so even if the cookie is somehow not read client-side, the server still drops the events.

How to opt your team out

Send everyone the link: https://admaxxer.com/opt-out. Each person clicks it once per browser they use to access your site.
Confirmation page: they see "Opted out successfully" with a green badge. Cookie set for 1 year.
That's it. No login required, no workspace-level configuration, no waiting for the change to propagate — the next pageview from that browser will not fire any events.

How to opt back in (for testing the install)

When you need to verify the pixel works (e.g. after a deploy), open https://admaxxer.com/opt-out?revoke=1 — this clears the cookie immediately. Or open DevTools › Application › Cookies › admaxxer.com and delete admaxxer_optout manually.

Bookmarklet for one-click opt-out

Save your team a click by adding this bookmarklet to their bookmarks bar. Clicking it once on any page sets the opt-out cookie via the /opt-out page in a hidden tab and closes it — no manual confirmation step needed.

javascript:(function(){window.open('https://admaxxer.com/opt-out','_blank','noopener');})();

Or, if your team prefers a cleaner flow, the cookie-set version (works only when on admaxxer.com origin):

javascript:(function(){
  document.cookie = 'admaxxer_optout=1; max-age=31536000; path=/; SameSite=Lax; domain=.admaxxer.com';
  alert('Admaxxer: opted out for 1 year on this browser');
})();

Limitations of the cookie method

Per-browser scope. Setting on Chrome doesn't carry to Safari. Each browser needs its own opt-in.
Cleared on browser cache wipe. If you "Clear browsing data" or wipe cookies, the opt-out goes with it — re-set after.
Incognito / private windows. Cookies don't persist when the private window closes — treat each session as a fresh start.
Cross-device. Setting on your laptop doesn't carry to your phone. Opt out separately on each device.
Multi-profile browsers. Each Chrome profile is independent. Set per profile.

Method 2 — `Admaxxer-DoNotTrack` HTTP header (gateway-level)

If your office traffic flows through a reverse proxy, VPN, or shared gateway, you can set the header at that layer once and every request from inside your network is automatically excluded — no per-device opt-out needed. The Admaxxer ingest endpoint specifically checks for Admaxxer-DoNotTrack: 1 and rejects the event with a 200 response (so the client doesn't retry).

Setup examples

Cloudflare Worker (most common)

// Add to your existing worker that proxies admaxxer.com
addEventListener('fetch', event => {
  const url = new URL(event.request.url);
  if (url.hostname.endsWith('admaxxer.com') && isInternalIp(event.request)) {
    const headers = new Headers(event.request.headers);
    headers.set('Admaxxer-DoNotTrack', '1');
    const modified = new Request(event.request, { headers });
    event.respondWith(fetch(modified));
    return;
  }
  event.respondWith(fetch(event.request));
});

function isInternalIp(req) {
  const ip = req.headers.get('cf-connecting-ip') || '';
  // Replace with your office subnet(s)
  return ip.startsWith('203.0.113.') || ip.startsWith('198.51.100.');
}

Nginx

map $remote_addr $admx_dnt {
    default        "";
    "~^203\.0\.113\."  "1";
    "~^198\.51\.100\."  "1";
}

server {
    location / {
        proxy_pass https://admaxxer.com;
        proxy_set_header Admaxxer-DoNotTrack $admx_dnt;
    }
}

Apache

<If "%{REMOTE_ADDR} =~ /^203\.0\.113\./">
  RequestHeader set Admaxxer-DoNotTrack "1"
</If>

When to use the header method

Centralized control. Add a subnet to the proxy rule and everyone behind that gateway is excluded automatically.
BYOD-heavy teams. Cookies need to be set per-browser per-device; gateway header doesn't.
VPN-protected admin tools. Anyone connected to the corporate VPN is excluded; off-VPN they're tracked normally.

Limitations of the header method

Doesn't work when employees are on coffee-shop WiFi or home networks. Pair with the cookie method for full coverage.
Requires a reverse proxy / VPN you control. If your team works directly off the public internet, this method doesn't apply.
Header gets dropped at some CDN edges. Verify with curl: curl -H 'Admaxxer-DoNotTrack: 1' https://admaxxer.com/api/event ... should return 200 with no event recorded.

Method 3 — Browser DNT (Do Not Track), automatic with cookieless

If your site is already using script.cookieless.js for GDPR-no-banner reasons, the cookieless variant automatically respects the browser DNT signal — no setup needed. Anyone with DNT enabled in their browser settings is auto-excluded.

Important caveat: the default script.js, script.plus.js, script.hash.js, and script.local.js variants do NOT honor DNT — they rely on the explicit cookie / header opt-out instead. This is intentional: most modern browsers send DNT by default (especially Brave, Firefox with Privacy Mode), so honoring it on every variant would silently drop too many real visits.

If you want all variants to honor DNT, the right answer is to combine the cookie method with whatever your team prefers as a privacy-tight signal. There's no global toggle to make script.js honor DNT — it's a deliberate design choice tied to the variant.

How to enable DNT in each browser

Firefox: Settings › Privacy & Security › Send websites a "Do Not Track" signal › Always.
Chrome: Settings › Privacy and security › Send a "Do not track" request with your browsing traffic.
Safari: Preferences › Privacy › Ask websites not to track me (older Safari only; recent Safari removed this and uses Intelligent Tracking Prevention instead).
Brave: On by default.

Method 4 — Gate the snippet on environment

The cleanest exclusion is to never load the pixel at all on dev / staging / preview deploys. This requires zero work from your team (no per-browser opt-out, no header rule) but only works when you have clear environment separation.

Next.js (App Router)

// app/layout.tsx
import Script from 'next/script';

export default function RootLayout({ children }) {
  return (
    <html lang="en">
      <head>
        {process.env.NODE_ENV === 'production' &&
          process.env.NEXT_PUBLIC_VERCEL_ENV !== 'preview' && (
          <Script
            src="https://admaxxer.com/js/script.js"
            data-website-id="admx_a1b2c3d4e5"
            data-domain="example.com"
            strategy="afterInteractive"
          />
        )}
      </head>
      <body>{children}</body>
    </html>
  );
}

Astro

---
const isProd = import.meta.env.PROD;
---
<html>
  <head>
    {isProd && (
      <script
        defer
        data-website-id="admx_a1b2c3d4e5"
        data-domain="example.com"
        src="https://admaxxer.com/js/script.js"
      />
    )}
  </head>
  <body>
    <slot />
  </body>
</html>

Plain HTML + server-side env detection

{# Jinja2 / Django / Flask #}
{% if request.host == 'example.com' %}
<script defer
  data-website-id="admx_a1b2c3d4e5"
  data-domain="example.com"
  src="https://admaxxer.com/js/script.js"></script>
{% endif %}

When to use snippet-gating

Vercel / Netlify preview deploys. Each PR gets a unique URL; you don't want analytics from preview URLs polluting your prod numbers.
Localhost dev. You and devs hammer localhost:3000 all day. The pixel auto-handles the bot/automation case (Puppeteer, Playwright) but ordinary localhost dev is not bot traffic — gate explicitly.
Internal admin pages. If you have an admin dashboard at /admin/*, gate the snippet to skip it client-side — "if path starts with /admin, don't render the script tag".

Bot + automation filtering (automatic, no setup)

The pixel auto-skips known bots and automation runners on both the client AND the server — you don't need to do anything for these:

Headless Chrome / Puppeteer / Playwright / Selenium — detected via navigator.webdriver + UA pattern matching.
Search-engine crawlers (Googlebot, Bingbot, DuckDuckBot) — UA pattern matched on both layers.
AI crawlers (GPTBot, ClaudeBot, PerplexityBot, DeepSeek, etc.) — UA pattern matched server-side.
Generic bots matching /bot|crawler|spider|curl|wget/i — UA pattern matched on both layers.
Lighthouse / PageSpeed Insights — identifies as Chrome but with chrome-lighthouse in UA.

Your end-to-end test suite, screenshot service, and uptime monitor never inflate event counts. There's no opt-out for this filter; the heuristic is conservative (only well-known automation signatures).

Verifying it works

After setting up exclusion, verify with these checks:

1. DevTools network check

Open DevTools › Network › filter for /api/event. Reload the page. You should see no POST requests to /api/event from the opted-out browser. If you see them, the exclusion isn't taking effect — check the cookie was actually set:

DevTools › Application › Cookies › admaxxer.com
Confirm admaxxer_optout exists with value 1 and an expiry >1 year out
If missing, revisit /opt-out and confirm you saw the success page

2. Pixel debug call

Run this in the DevTools console on a page with the pixel installed. If you're opted out, window.admaxxer will be undefined — the pixel exited before setting up the global:

console.log(typeof window.admaxxer);
// "undefined" = opted out (good)
// "function"  = pixel booted (NOT opted out)

3. Server-side curl test (for the header method)

curl -X POST https://admaxxer.com/api/event \
  -H 'Content-Type: application/json' \
  -H 'Admaxxer-DoNotTrack: 1' \
  -d '{"website_id":"admx_test","host":"example.com","event_type":"pageview","path":"/test"}' \
  -i

# Expect: HTTP 200 with no event recorded in your dashboard.

4. Cross-check the dashboard 5 minutes later

Real-time events surface in /dashboard/analytics within ~5 seconds. After clicking around 4–5 pages on your site as the opted-out user, no new events should appear in the live count. If they do, the exclusion isn't applying — check the cookie + browser combo.

Common pitfalls

Cookie cleared on cache wipe. Browser "Clear browsing data" wipes admaxxer_optout too. Re-set the cookie via /opt-out after every wipe. Bookmarklet helps.
Incognito doesn't persist. If you visit your site in private mode, the opt-out cookie won't be there — use a regular window for QA.
One device, multiple browsers. Opt out on each browser separately (Chrome + Safari + Firefox = three opt-outs).
One human, multiple devices. Each device is a separate browser jar. Opt out on laptop AND phone AND tablet.
Mobile Safari aggressive cookie GC. Apple's Intelligent Tracking Prevention can clear non-domain-matched cookies after 7 days of no engagement on the site. The admaxxer_optout cookie is on the admaxxer.com origin, NOT your site — so it's not subject to this 7-day clear unless you visit admaxxer.com directly. To be safe, also gate dev traffic via Method 4 (snippet-gating) on iOS.
VPN swapping IPs. Method 2 (header) only works when the VPN sets the header consistently. If your team toggles VPN on/off, traffic outside the VPN won't carry the header — pair with the cookie method.
Customer support sessions. If a support rep mirrors a customer's session (e.g. via FullStory's "co-browse"), neither method excludes the rep's interaction — treat support sessions as customer sessions for analytics purposes, or instrument a custom flag client-side and skip the snippet on that flag.
Headless E2E tests. No setup needed — the bot UA filter handles Puppeteer/Playwright/Selenium automatically. If you're running tests with a non-default UA, override the UA string to include HeadlessChrome or bot so the filter catches it.

Headless / CI traffic from your test suite

You don't need to do anything — the pixel + the server filter both auto-skip well-known bot/automation UAs. Specifically:

HeadlessChrome, PhantomJS, SlimerJS, Puppeteer, Playwright, Electron — pixel's isBot() heuristic.
Generic bot, crawler, spider, curl, wget — same heuristic, both layers.
navigator.webdriver === true — even when the UA is masked, this flag is set by every WebDriver-based tool.

If your test framework somehow bypasses both checks (rare), set the Admaxxer-DoNotTrack: 1 header on the test runner's HTTP client — the server-side ingest will reject events from that header alone.

How Admaxxer compares to Datafast on internal-traffic exclusion

Datafast offers a similar localStorage-based opt-out plus a workspace-level setting. Admaxxer's approach favors centralized cookie + header signals that survive the analytics layer entirely.

Capability	Admaxxer	Datafast
One-click opt-out page (cookie set)	Yes — /opt-out page, 1y cookie	Yes — localStorage flag
Cookie-based opt-out (vs localStorage)	Cookie + header (more robust)	localStorage only
Server-side enforcement (rejects events even if client signal slips through)	Yes — cookie + header both checked	Client-only
Reverse-proxy / VPN header signal	Yes — `Admaxxer-DoNotTrack: 1`	No
Browser DNT honored automatically	Yes (via `script.cookieless.js`)	Yes
Auto bot/automation UA filtering (client + server)	Yes — both layers	Client-only
Bookmarklet for one-click team opt-out	Yes — documented in this page	Documented