gclid Replay Attacks: Technical Analysis and Hot-Path Defense
Atomic Lua sealing, GCLID_IP_MISMATCH, and MISSING_LANDING_BEACON: technical details of gclid security.
gclid format validation
Invalid format (outside ^[A-Za-z0-9._-]{10,200}$) returns **400** instantly; nothing is written to the database.
Atomic sealing
cf:gclid:{tenantId}:{gclid} Redis hash stores the first seen IP and fingerprint. Subsequent requests are compared:
- Different IP →
GCLID_IP_MISMATCH - Different fingerprint →
GCLID_FINGERPRINT_MISMATCH
Landing requirement
Attribution-bearing interactions require a prior landing beacon. Otherwise MISSING_LANDING_BEACON → **403**.
Async reconciliation
The worker scans Google Ads click_view periodically. Ghost clicks and delayed mismatches are recorded as anomalies.
Ready to protect your ad budget?
4-layer defense against parameter attacks — setup in 5 minutes.
Try Free