By default, Clicky validates all incoming traffic against the registered domain and mirrors configured in your site preferences. Sub-domains of the main domain are automatically supported, but mirrors must be explicitly set for each root and sub-domain. The main reason is so that if someone copies your tracking code onto their site accidentally or maliciously, your data won't be impacted. This is a much bigger problem than you would ever expect, which is why this is our default.

You can disable domain validation in your site preferences, under the "Advanced" section.

We only recommend disabling it as a last resort, if you can't get tracking to work at all.

If the code is installed correctly, the main reasons tracking may not work is if there's a typo in the domain, or if your site uses a restrictive referrer-policy header (or <meta> tag). If your site sets this header to "same-origin" or "no-referrer", then you must disable domain validation, or set the header to a less restrictive option if you are able. We recommend setting it to "origin-when-cross-origin", which means for external links from your site (and third party requests like our beacon), only the domain of your site will be passed through as the referrer, but no path or query data. This is the value we use on Clicky!