Why Your Real Clicks Are Seeing the Safe Page (and How to Fix It)

If you're testing a flow and "everyone gets the safe page," the cloaking engine is almost never broken. It's usually one of three settings doing exactly what it was told. 1. Block visits without a referrer. This is the most common culprit. Most Facebook, Google and TikTok ad clicks — especially from in-app browsers — arrive with no referrer header. If this is on, those real clicks get the safe page. Leave it OFF for ad traffic. 2. Warm-up clicks. If you set a warm-up of N, the first N visitors each day get the safe page on purpose — for everyone, regardless of IP. Great right after launch, confusing during testing. Set it to 0 if you don't want it. 3. You're testing from a flagged source. A VPN, datacenter IP, or a tool/browser that doesn't send full browser headers (sec-ch-ua, Accept-Encoding) will be correctly blocked. Test from a real phone on mobile data, in a normal browser, with a referrer. The fastest way to diagnose it: open the Recent Decisions log. It shows each visit's verdict and a plain-English reason, so you can see exactly why someone was sent to the safe page.