Safari ITP & First-Party Cookies
400-day first-party cookies that survive Safari ITP
Apple's Intelligent Tracking Prevention caps any cookie set by JavaScript at 7 days. Datafly Signal sets cookies via HTTP Set-Cookie headers from your own subdomain, which ITP treats as genuine first-party storage. The result: 400-day attribution windows for GA, Meta, TikTok, LinkedIn, and every click ID, with no workarounds and no fingerprinting.
400 days
Cookie lifetime
57x longer than Safari's 7-day ITP cap on JavaScript-set cookies
0
Fingerprinting
No probabilistic identity, no canvas hashing, no IP heuristics
30+
Vendor IDs persisted
GA, _fbp, _ttp, _li_id, click IDs all server-set in one cookie
Set-Cookie
Standards-based
HTTP header from your own domain, the way cookies were designed to work
What Safari ITP actually does to your cookies
Apple's Intelligent Tracking Prevention has been progressively tightening cookie controls since 2017. The current state of play affects every measurement and attribution surface you care about.
7-day cap on JavaScript-set cookies
Any cookie set via document.cookie in the browser, including the ones gtag.js, Meta Pixel, ttq.js, and the LinkedIn Insight Tag write, is capped at 7 days regardless of the Max-Age your script requests. ITP rewrites the expiry on store. Customers who research for longer than a week become "new visitors" on return.
24-hour cap when arriving from cross-site
If a user clicks an ad and the landing-page URL contains query parameters identified as cross-site tracking signals (gclid, fbclid, etc.), Safari further caps any client-set cookies at 24 hours. The window in which Smart Bidding can attribute a conversion to that click ID shrinks to a single day for client-side setups.
Multi-touch attribution stops working
With cookies expiring weekly, the full customer journey can't be reconstructed. Look-alike audiences shrink because the visit-history horizon shortens. ROAS calculations stop matching reality. Every Safari user who takes longer than a week to convert becomes a measurement gap, and Safari is roughly 19% of global mobile and 9% of desktop.
How Datafly Signal sidesteps ITP cleanly
Run on your own subdomain
Customers point a CNAME at the Datafly Ingestion Gateway, e.g. collect.yourbrand.com. All event traffic, identity calls, and cookie-setting flows through that subdomain. The collector is loaded from your domain, not a vendor's.
Set cookies via Set-Cookie HTTP headers
When the gateway responds to a /collect or /identify request, it includes a Set-Cookie response header. Browsers store this as a first-party cookie scoped to the parent brand domain. ITP treats server-set first-party cookies fundamentally differently from JavaScript-set ones.
Set Max-Age to 400 days
Both Apple and Google formalised 400 days as the maximum cookie lifetime for first-party use. Datafly Signal sets exactly that on every cookie. ITP does not rewrite the expiry on server-set first-party cookies the way it does for client-set ones.
Mirror vendor identifiers server-side
The gateway generates and persists every vendor identifier server-side: GA client_id, Meta _fbp / _fbc, TikTok _ttp, LinkedIn _li_id, Pinterest _pin_, plus all click IDs. None of these need a client-side vendor cookie or vendor JavaScript anymore.
Refresh on every visit
Each event hit refreshes the cookie expiry, so as long as the customer visits within 400 days the identity persists indefinitely. Real customers never lose their identity to ITP. Bots and scrapers, by definition, don't come back.
The actual Set-Cookie header
No magic, no workaround, no probabilistic linking. The 400-day cookie is a single HTTP response header from your own subdomain. Below is what the gateway sends.
# How a 400-day first-party cookie is set
# 1. Browser requests https://collect.yourbrand.com/c/event
# 2. Datafly Ingestion Gateway responds with Set-Cookie header
# 3. Cookie is treated as first-party (server-set, same-domain)
# 4. ITP, ETP, and other browser controls do NOT cap it at 7 days
# Response headers from collect.yourbrand.com:
Set-Cookie: _df_aid=a3f9...; Domain=.yourbrand.com;
Path=/; Max-Age=34560000; Secure;
HttpOnly; SameSite=Lax
# Max-Age = 34,560,000 seconds = 400 days
# Domain scoped to your brand, not a vendor's
# HttpOnly prevents document.cookie tampering
# SameSite=Lax allows cross-tab measurement
# The same cookie carries:
# - Datafly anonymous_id (cross-session identity)
# - GA client_id (mirrored server-side, no _ga client cookie needed)
# - Meta _fbp / _fbc (mirrored, no Meta Pixel needed)
# - TikTok _ttp (mirrored, no ttq.js needed)
# - LinkedIn _li_id, Pinterest _pin_, Reddit _rdt_uuid
# - Click IDs: gclid, fbclid, ttclid, msclkid, twclidWhy server-set cookies just work
ITP, ETP, and Brave shields all distinguish between cookies set by the document and cookies set by the server. The latter is how cookies were designed to work in 1994 and remains supported.
400-day Max-Age, no rewrites
Server-set first-party cookies retain the expiry your gateway requests. No browser silently caps them to 7 days the way they do for JavaScript-set cookies.
HttpOnly + Secure + SameSite
Cookies are HttpOnly by default so JavaScript can't read or modify them. Secure-only over HTTPS. SameSite=Lax allows legitimate cross-tab measurement.
Vendor IDs mirrored server-side
GA client_id, Meta _fbp/_fbc, TikTok _ttp, LinkedIn _li_id, Pinterest _pin_, Reddit _rdt_uuid all generated and persisted server-side. No vendor JS required.
Click IDs persisted on landing
gclid, gbraid, wbraid, fbclid, ttclid, msclkid, twclid captured from URL parameters at landing time and stored in the same 400-day cookie. ROAS over the full buying cycle.
Works the same on Firefox, Brave, Chrome
Firefox ETP, Brave Shields, and Chrome's upcoming controls all preserve server-set first-party cookies. The same recovery story works across every modern browser.
Deterministic, never probabilistic
No fingerprinting, no canvas hashing, no IP-based heuristics, no probabilistic identity stitching. Just a first-party cookie, the same primitive every site has used for thirty years.
Cookie lifetime by setup
How long the customer's identity actually persists across browsers, depending on how cookies are written.
| Setup | Safari | Firefox | Chrome |
|---|---|---|---|
| gtag.js (client-set _ga) | 7 days (1 day cross-site) | ~30 days | 13 months max |
| Meta Pixel (client-set _fbp) | 7 days | ~30 days | 90 days |
| GTM Server-Side via vendor subdomain | 7 days (still client-set if FPID) | ~30 days | 400 days |
| Datafly Signal (Set-Cookie HTTP header) | 400 days | 400 days | 400 days |
Frequently asked questions
- Why does Safari ITP cap cookies at 7 days?
- Apple's Intelligent Tracking Prevention treats cookies set by JavaScript via document.cookie as third-party tracking signals and limits their storage lifetime to 7 days, regardless of the Max-Age value the script requests. When a known cross-site tracking parameter (gclid, fbclid, etc.) is present in the landing URL, the cap drops further to 24 hours. This is why _ga, _fbp, and other vendor-set cookies regularly expire on Safari users.
- Does Datafly Signal use any fingerprinting to extend cookies?
- No. There is no canvas hashing, no IP-based identity heuristic, no probabilistic stitching. The 400-day cookie is a standards-based first-party Set-Cookie response header from your own subdomain. ITP does not cap server-set first-party cookies the way it caps JavaScript-set ones because they are exactly what cookies were designed to be.
- How does this work on Firefox and Brave?
- Firefox Enhanced Tracking Protection and Brave Shields both preserve server-set first-party cookies on your own domain. The same 400-day cookie that survives Safari ITP also survives Firefox ETP and Brave. Chrome's upcoming controls preserve them too. The recovery story is uniform across every modern browser.
- What is the difference between server-set and client-set cookies?
- A client-set cookie is created by JavaScript via document.cookie. A server-set cookie is created by the server via a Set-Cookie HTTP response header. Browsers track both, but ITP and similar privacy controls treat them differently: server-set first-party cookies retain their requested Max-Age, client-set ones are capped to 7 days on Safari. The behaviour is documented in the WebKit ITP changelog.
- Will I lose data if a customer doesn't visit for 400 days?
- The cookie expires after 400 days of no activity. In practice, every visit refreshes the expiry, so as long as the customer returns within 400 days the identity persists indefinitely. For most B2C and B2B businesses 400 days covers more than the full buying cycle. Both Apple and Google formalised 400 days as the maximum first-party cookie lifetime, so you can't set longer than this on any browser.
- Does this require a CNAME or DNS change?
- Yes. You point a CNAME at the Datafly Ingestion Gateway, e.g. collect.yourbrand.com → gateway.datafly.com. From the browser's perspective the cookie is being set by your own domain, which is what makes it first-party. The setup is a single DNS record and an SSL certificate (handled automatically), no application changes.
Related
Identity Resolution
Vendor identifiers (_ga, _fbp, _ttp) generated server-side and persisted in the same 400-day cookie.
Attribution
Long-window attribution requires identity that survives past 7 days. ITP recovery is the foundation.
Mobile SDK
The mobile equivalent: deterministic identity in iOS Keychain and Android EncryptedSharedPreferences.
Google Ads
gclid persisted in the 400-day cookie, full Enhanced Conversions match window.
Recover the customers Safari ITP is hiding
Request a technical walkthrough. We'll show you what 400-day first-party cookies recover for Safari users specifically, and how the same setup extends every other browser too.