Cloaking, broadly, is traffic filtering: automated crawlers and bots get one version of a page, real users get another. In practice most problems aren't in the tool itself — they're in the configuration. Here are five typical setup mistakes that make filtering behave differently than expected, and how to avoid them.
Two things break most often: the quality and relevance of the open (white) page — ad platforms require the landing to match the ad — and filter accuracy: keying off a single signal causes false positives. After that come purely technical issues: TTL, edge caching and overly coarse geo segmentation.
Mistake 1. The white page doesn't meet the platform's requirements
Ad platforms (Google, Meta, TikTok) have requirements for landing-page quality and relevance: the page must match the ad and provide real value to the user. If a fitness ad leads to an abstract "about nothing" page, that violates their landing-quality rules — and the platform can reject the ad.
How it should be: make the open page a genuine topical page relevant to the ad. If the creative is about fitness, the page should be about a healthy lifestyle — nutrition tips, a workout breakdown, an expert interview. Full, real content passes review far better than empty placeholders.
Teams that build an open page 800–1500 words long with a couple of images pass platform review 3–4 times more often than those running "Hello world". Automated and manual checks look at what's actually on the page.
Mistake 2. Filtering on a single signal causes false positives
A common setup is "show the main page only if the referer is empty". The problem: a large share of iOS 17+ users have an empty referer by default (Apple Tracking Prevention). As a result, part of your live traffic sees the open page instead of the target one — conversions drop for no reason.
The mirror mistake is cutting too hard on user-agent: legitimate preview bots from messengers and email clients get filtered alongside search crawlers, and links look broken in previews.
Right way: filter on a combination of signals rather than a single criterion. In our case fingerprint, behaviour and network characteristics combine into a score, and the decision is made on the score, not on any single rule — which means fewer false positives in both directions.
Mistake 3. The CDN caches and serves the same page to everyone
A classic. You enable Cloudflare with proxied = true, don't configure cache rules, and five minutes later anyone visiting gets whatever version Cloudflare cached first. Filtering effectively turns off: everyone sees the same page regardless of whether they're a bot or a human.
Fix: either disable proxied on domains with active filtering, or set an explicit cache rule "do not cache this path", or use Vary: User-Agent with Cache-Control: private. Any of those works, just verify with curl:
curl -I -A "facebookexternalhit/1.1" https://your-domain.com/lp
curl -I -A "Mozilla/5.0 (iPhone; ..." https://your-domain.com/lp
If both responses show cf-cache-status: HIT with identical ETags, the response is cached and filtering isn't actually working.
Mistake 4. Geo filter is too aggressive
"Show the main page only from the US" sounds logical, but it hits real users. Genuine visitors and platform reviewers sit in different regions: Dublin, Manila, Hyderabad. If the filter cuts everything except one geo, part of your legitimate audience sees the wrong page — and the platform records a mismatch between the ad and what's actually shown.
Right way: filter in two stages. Stage one — obvious data centers, VPN and Tor cut immediately. Stage two — for a region that doesn't match the offer, show a soft open page (real topical content, not an empty stub). That way any real visitor from any geo sees a meaningful, relevant page.
Mistake 5. DNS TTL is too long
Technical, but we see it constantly. You buy a domain, set an A record with TTL 86400, start running, everything works. Two weeks in you want to change infrastructure (move edge, change the load balancer), and you realise your domain's TTL is 24 hours. DNS providers around the world can keep serving the old record for another day.
If you have active campaigns at that moment, traffic splits for 24 hours into two halves: one works the old way, the other the new way, stats stop matching, and attribution breaks.
Right way: from the start, set TTL = 60–300 seconds on working domains. Cloudflare and Namecheap let you do this in one click. On a corporate front-end site you obviously want a normal TTL — a short one isn't needed there, but for working domains it's a basic rule.
Bonus: things that are not mistakes but many think they are
- "Rotating the domain's IP every day helps". No, platforms don't track that. Content quality and relevance matter more than network infrastructure.
- "If the creative was approved, we're fine forever". Not necessarily: algorithms re-review ads a few days after launch, and the quality assessment can change.
- "A CDN with lots of IPs protects from problems". No: the assessment is tied to the domain and content, not to the IP.
What we do in TDS
In TDS.SO, filtering accounts for all five points: decisions by signal combination (score), dynamic open-page content, soft geo filtering with a neutral-content fallback. The goal is to screen out bots and irrelevant traffic with the fewest false positives on real users.
There's no universal "set it and forget it" setup in this space: every source has its specifics, and platform requirements change over time. If you want to review a specific configuration case — message us in live chat and we'll help you set it up.