I wanted to be able to say that flintoff.org tracks nobody. No analytics, no surveillance, no creepy fingerprinting. Just a website, doing its thing.
So this morning I ran the site through ComplyDog’s free cookie scanner. Three cookies showed up.
The first, PHPSESSID, is harmless – a standard PHP session cookie that Textpattern sets automatically and forgets about when you close the browser.
The second, __cf_bm, is a Cloudflare bot-management cookie. Technical and security-related, but still third-party.
The third is the interesting one. __sl-fingerprint is set by something calling itself SumoList – an old name for OptinMonster, a list-building tool. I have no memory of installing anything like that. It is hiding somewhere in my templates or page scripts, and it is fingerprinting visitors – meaning it can identify them even without traditional cookies.
All three appear to be coming in via a Kit subscribe form embedded on a couple of pages. The fix for that is straightforward: replace embedded forms with a plain link, so no third-party JavaScript loads on my site at all.
The __sl-fingerprint is a separate mystery. Next task: hunt it down and remove it.