Manage SSL compliance in Campaign Manager

Campaign Manager does not allow non-secure URLs (HTTP) in creative code, redirect URLs in redirect creatives, impression pixels, survey URLs, and impression event tags. If you use URLs in these places, they must be secure (HTTPS). Work with your developers and vendors to obtain secure creatives and secure URLs.

  • Secure URLs start with https and typically use SSL or TLS to keep information secure over the Internet (Secure Sockets Layer or Transport Layer Security).

  • In Campaign Manager, "SSL compliance" refers to items that keep information secure by using any form of HTTPS URLs. Note that SSL-compliant items—such as ads, creatives, or impression event tags—may actually use TLS rather than SSL. "SSL" is just a common way to refer to secure URLs.

Use the guide below to learn how SSL works in Campaign Manager.

Expand all   Collapse all

SSL in Campaign Manager

SSL requirements in Campaign Manager

Campaign Manager requires that you use secure URLs (HTTPS) in your creative code, redirect URLs, impression pixels, and survey URLs.

To make sure your items are SSL-compliant:

  • Creatives only allow secure URLs in creative code, in manually added impression pixel or survey URLs, and in redirect URLs. Any URLs in these places must be secure (though you do not need to add secure URLs; you simply may not add non-secure URLs).

  • Ads only allow you to apply secure impression event tags. You cannot apply non-secure impression event tags. Ads also only allow you to assign SSL-compliant creatives. You cannot assign non-compliant creatives.

  • Placements only allow you to assign SSL-compliant ads or creatives. You cannot assign non-compliant ads or creatives.

  • Impression event tags must use secure impression pixels or survey URLs, or else you will not be allowed to apply them to ads.

  • Floodlight activities only allow secure dynamic tags (piggybacked pixels). Also, as of July 7, 2015, Floodlight activities load in a secure iframe, which means any remaining non-secure dynamic tags (piggybacked pixels) in your Floodlight activities will no longer capture information.

Fields that affect SSL compliance

Here are the fields and properties where secure URLs are required:

  • Asset code. If the asset itself uses non-secure URLs in the creative code, ask the developer to update the asset with secure URLs.

  • HTML code. Check the code under "HTML" in the creative properties for custom and display creatives. If a creative is non-compliant, ask your developer for a compliant version.

  • "Third-party URL" sections in VPAID, in-stream, and general Rich Media creatives.

  • Redirect URL in redirect creatives.

  • Impression event tag URLs. Open tags at the advertiser or campaign level and check the tag URL. Any ad that uses a non-compliant impression event tag is non-compliant, and any placement that has non-compliant ads assigned is also non-compliant (and will therefore export non-secure placement tags).

    Do not add the %ers! macro to impression event tags. Because this macro expands to either http or https depending on the context, it may allow non-secure protocol (http) in your tracking URL. If this macro is detected in your impression event tag, Campaign Manager will label the event tag "Not compliant."

  • Dynamic tags (piggybacked pixels) in your Floodlight activities. Under "Dynamic tags" in the Floodlight activity properties, in the "Code" field of default or publisher tags. Any code that instructs the browser to call anhttp URL is non-compliant.

Notes

  • Relative protocol (//) is allowed in fields that affect SSL compliance, because relative protocol will change to HTTPS on secure sites.

  • Landing pages do not affect SSL compliance in your creatives and ads. It's always fine to use http for all landing pages, including URLs in click event tags and in your creative's "Click tags" section.

  • An image creative in Campaign Manager is always compliant, because it has no tracking URLs or other content from non-secure sources.

Glossary of SSL terms
  • SSL is a way to keep information secure over the internet. It stands for Secure Sockets Layer. Many sites use SSL to keep their pages secure, or its successor, TLS (Transport Layer Security). The URL of a secure site starts with HTTPS—the s stands for "secure." Generally, URLs that start with HTTPS work the exact same way as URLs that start with http. The difference is that when a URL starts with HTTPS, the server adds an extra encryption layer.

  • Secure URLs start with HTTPS. They keep content secure with an encryption layer called an SSL (Secure Sockets Layer). Non-secure URLs start with http. If your site URL starts with HTTPS, it is a secure site.

  • Compliant means SSL-compliant. This means your item is okay for secure sites. SSL-compliant items only use secure URLs in their creative code, impression pixels, and other fields that affect SSL compliance. They do not use any non-secure URLs that might cause problems for secure sites.

  • Not compliant means not SSL-compliant. This means your item uses one or more non-secure URLs that might cause problems for secure sites. For example, non-compliant creatives might have non-secure URLs in their creative code. Non-compliant ads might use impression event tags with non-secure pixels. When a placement is non-compliant, that means one or more non-compliant ads or creatives are assigned to it.

Exemptions for Chinese inventory

If you serve to Chinese inventory, you may need an exemption from SSL requirements, because Chinese sites do not support SSL. Support representatives can disable SSL requirements for Chinese sites or Chinese advertisers, if necessary. No other exemptions are possible. Learn about Chinese exemptions

How Campaign Manager handles non-compliant items

Ads and creatives
  1. If Campaign Manager determines that your ad or creative uses non-secure URLs in fields that affect SSL compliance, Campaign Manager will label the ad or creative "Not compliant."

  2. Non-compliant ads and creatives are not allowed in new assignments. For example, you can't assign a non-compliant ad to any additional placements. You also can't assign any additional creatives to a non-compliant ad.

  3. Non-compliant ads and creatives that are already assigned can remain assigned. They can still serve to placements.

    • Campaign Manager started rolling out the new SSL requirements on June 16, 2015. Prior to that time, Campaign Manager allowed assignments with non-compliant items, so some non-compliant ads or creatives may already be assigned to placements. Any existing assignments with non-compliant items can remain, and they can still serve to placements. But no new assignments will be allowed unless you make the ads or creatives compliant.

Non-compliant placements
  1. If your placement has non-compliant ads or creatives assigned, Campaign Manager will label the placement "Not compliant."

  2. Non-compliant placements are not allowed in new assignments. If your placement is non-compliant (meaning it has non-compliant ads or creatives assigned), you can't assign any additional ads or creatives to the placement.

    The exception is that if you already have compliant ads assigned to a non-compliant placement, you can still assign compliant creatives to these ads. In other words, if one of the ads on your non-compliant placement is SSL-compliant, you can still assign compliant creatives to it.

  3. Any non-compliant ads and creatives already assigned to your placement can remain assigned, and they can still serve to your placement.

    • As discussed above, non-compliant ads and creatives may already be assigned to placements in your campaign if they were assigned prior to the new SSL requirements (which started rolling out on June 16, 2015). These assignments can remain, and will still serve. But no new assignments will be allowed unless you make the placement compliant (by ensuring that all ads and creatives assigned are compliant).

  4. Compliant placements in Campaign Manager only export secure tags. However, if your placement is non-compliant (i.e., has non-compliant ads or creatives assigned), it will only export non-secure tags.

    • Campaign Manager is designed to ensure secure end-to-end ad serving, which means serving secure content via secure tags to secure sites. This includes secure placement tags. Non-compliant placements export non-secure tags so that the tags are consistent with the SSL status of your ads and creatives. Do not use non-secure placement tags on secure sites because non-secure tags may cause issues for the publisher or prompt the user's browser to show a warning, or the ad may not load at all.

Non-compliant impression event tags
  1. If the impression pixel or survey URL in your impression event tag is not secure, Campaign Manager will label it "Not compliant."

  2. Non-compliant impression event tags cannot be applied to any additional ads.

  3. If your non-compliant impression event tag is already applied to ads, it can remain applied and will still capture information. But your event tag will make these ads non-compliant as well, because they will use a non-compliant tracking URL when they serve.

    • Campaign Manager started rolling out the new SSL requirements June 16-July 7, 2015. Prior to that time, Campaign Manager allowed you to apply non-secure impression event tags to ads. Any non-compliant impression event tags you have already applied can remain applied and will still capture information. But you will not be able to apply non-compliant impression event tags to additional ads.

Floodlight activities
  1. Campaign Manager does not allow you to save new Floodlight activities with non-secure dynamic tags (piggybacked pixels).

  2. As of July 7, 2015, non-secure dynamic tags no longer capture information. Campaign Manager loads Floodlight tags in a secure iframe. If a dynamic tag is not HTTPS, it will not load in the iframe, which means it will not capture information

    Ask your vendor for secure versions of your dynamic tags. Do not simply change http to HTTPS in your dynamic tag, because many impression pixels have completely different secure URLs.

Resolve SSL compliance issues

If you run into problems due to SSL requirements, you may need to change the URLs in your creatives, event tags, or Floodlight tags. See below to troubleshoot issues.

My creative is non-compliant

Creatives are non-compliant if they have non-secure URLs in their creative code, in manually added impression pixel or survey URLs, or in redirect URLs.

  1. Open the creative properties in Campaign Manager.

  2. Once you find the issue, you can work with your vendor or developer to resolve it.

    • If manually added impression pixels or survey URLs are non-compliant, ask your vendor for a secure version of the tracking URL.

    • If the redirect URL is non-compliant, ask your vendor for a secure redirect URL.

    • If the tracking URLs are compliant, the issue is probably a non-secure URL in the creative code. Ask your developer to provide a secure version of your creative and upload that instead.

My ad is non-compliant

Ads are non-compliant if they have non-compliant creatives assigned or non-compliant impression event tags applied.

  1. Open the ad properties in Campaign Manager.

  2. Open the "Creative assignments" section.

  3. Check the assigned creatives. There is an "SSL" column that tells you if any assigned creatives are not compliant. Non-compliant creative assignments make your ad non-compliant.

    • If any assigned creatives are non-compliant, you need to unassign them or change their properties so that they are compliant.

  4. If your assigned creatives are compliant but your ad is still not compliant, the issue is that one or more applied impression event tags is not compliant.

    Check your event tags:

    1. Open the "Event tags" section.

    2. Under "impression event tags," make sure the "View" is set to Applied tags.

    3. You can now see all the impression event tags that are applied to your ad. For each row, scroll over to the right and find the "SSL" column. This tells you if the impression event tag is SSL-compliant.

    4. Make a note of the event tags that are non-compliant. You can either unapply them or change the event tag URL.

      • Unapply: Change the "View" to Advertiser/Campaign tags. Select the event tags you need to unapply and click Never apply.

      • Change the tag URL:

        1. Check the "Source" column.

          • If the source is the advertiser, you must edit your event tag in the advertiser properties. Find the "event tags" section and open your event tag in the "Advertiser tags" view.

          • If the source is the campaign, you must edit your event tag in the campaign properties. Find the "event tags" section and open your event tag in the "Campaign tags" view.

        2. Ask your vendor for a secure version of the tracking URL and enter it into the Tag URL field.

          Note that secure event tag URLs are sometimes different from non-secure event tag URLs. Sometimes you cannot simply change http to HTTPS at the beginning of the URL.

         

My placement is non-compliant

Placements derive their SSL status from their assignments. Placements are only non-compliant if they have non-compliant ads or creatives assigned.

  1. Open your campaign. Click Views and choose the Placements, ads, and creatives view.

  2. Find your placement.

  3. Scroll to the right so you can see the SSL column. Use this column to check which ads and creatives assigned to your placement are non-compliant. Make a note of these items and use the steps above to resolve non-compliant ads or non-compliant creatives.

My Floodlight activity is not compliant

This issue is that your Floodlight activity has one or more non-secure dynamic tags (piggybacked pixels).

Check the "Code" fields under "Dynamic tags." These fields must not include any code that instructs the browser to call a non-secure URL. For example, <img src="http://www.example.com"> instructs the browser to call for an image from an http URL, so it is non-compliant.

Ask your vendor for secure versions of your dynamic tags. Do not simply change http to HTTPS in your dynamic tag, because many impression pixels have completely different secure URLs.

It's especially important to use secure dynamic tags because from July 7, 2015, onward, non-secure dynamic tags will no longer capture information. This is because Campaign Manager will automatically load a secure iframe with your Floodlight tag: if a dynamic tag is not https, it will not load in the iframe, which means it will not capture information.

My impression event tag is not compliant

The issue is that your impression event tag has a non-secure URL. Campaign Manager does not allow you to apply non-secure impression event tags to ads.

  1. Ask your vendor for a secure version of the impression pixel or survey URL in your impression event tag.

    Note that secure event tag URLs are sometimes different from non-secure event tag URLs. Sometimes you cannot simply change http to HTTPS at the beginning of the URL.

  2. Enter this URL into the Tag URL field of your event tag. If you have trouble finding your event tag, follow these steps.

  3. Once you add a secure tracking URL, Campaign Manager will allow you to apply your event tag.

If you applied your event tag prior to the new SSL requirements, the event tag can remain applied, and it will still capture information. However, any ad that uses a non-secure impression event tag will no longer be allowed in new assignments. This is because Campaign Manager does not allow new assignments with items that are not SSL-compliant.

I can't make an assignment due to SSL issues

Campaign Manager prevents new assignments that involve non-compliant items.

  1. Open your campaign. Click Views and choose the Placements, ads, and creatives view.

  2. Find the items you are trying to assign.

  3. Scroll to the right so you can see the SSL column. Use this column to make sure each item you wish to assign is SSL-compliant. All items involved must be SSL-compliant.

  4. Once you find a non-compliant ad, creative, or placement, find the section above to resolve your issue:

    • Non-compliant creatives

    • Non-compliant ads

    • Non-compliant placements

Note that assignments made before the new SSL requirements can remain in Campaign Manager, and your ads will still serve.

Campaign Manager incorrectly labeled my creative "Not compliant"

If you are sure that your creative is SSL-compliant, you can override Campaign Manager in the creative properties and label your creative compliant.

Do not override Campaign Manager unless you can confirm that your creative uses secure URLs. Serving non-compliant creatives to a secure site can cause a warning to appear in the user's browser.

Was this article helpful?
How can we improve it?