More about meta tag verification

May 02, 2006

As we mentioned last week, we've added a new option for verifying site ownership. This method requires that you place a specific <meta> tag in the source code of your home page. Many features are available only to site owners and we want as many webmasters as possible to have access. Most site owners who can't upload files or specify names for files should be able to use this new method to verify. For instance, if you use Blogger, you can verify using this option.

To verify using the <meta> tag, simply click the Verify link for your site, choose Add a meta tag as the verification option, and then copy the tag provided to the <head> section of your home page.

This tag looks like this:

<meta name="verify-v1" content="unique-string">

You must place this meta tag:

  • On the home page of your site (sometimes called the index page or root page).
  • In the source code for that page.
  • In the first <head> section of the page, before the first <body> section.

You can't place this tag inside of another tag in the head section.

For instance, this is correct:

<html>
  <head>
    <meta name="verify-v1" content="unique-string">
    <title>Title</title>
    <style>
      <!-- style info here -->
    </style>
  </head>
  <body>
    <!-- body of the page here -->
  </body>
</html>

The meta tag inside the style section is incorrect:

<html>
  <head>
    <title>Title</title>
    <style>
      <meta name="verify-v1" content="unique-string">
    </style>
  </head>
  <body>
    ...

The meta tag inside the body section is incorrect:

<html>
  <head>
    <title>Title</title>
  </head>
  <body>
    <meta name="verify-v1" content="unique-string">
  </body>
</html>

The meta tag on a page with no head section is incorrect:

<html>
  <meta name="verify-v1" content="unique-string">
  ...
</html>

Below are some questions you might have about verification.

I have a blog, and anyone can post comments. If they post this meta tag in a comment, can they can claim ownership of my site?

No. We look for this meta tag in the home page of your site, only in the first section and before the first. If your home page is editable (for instance, your site is a wiki-like site or a blog with comments or has a guest book), someone can add this meta tag to the editable section of your page, but cannot claim that they own it.

So, how do you generate these cryptic tags anyway?

The unique string is generated by base-64 encoding the SHA256 hash of a string that is composed of the email address of the proposed owner of the site (for instance, admin@example.com) and the domain name of the site (for instance, example.com).

From this unique string, can someone determine my email address or identity?

Short answer, no. Long answer, we use a hashing scheme to compute the contents of the meta tag. Hashes cannot be "decrypted" back into the message.

Can the meta tag contents be cracked through a dictionary attack?

To reduce the risk of dictionary attacks, we use a random sequence of bytes (called salt) as a seed to the hash function. This makes dictionary attacks much more difficult.

Can someone determine if the same webmaster own multiple sites?

We use the domain name of your site (for instance, example.com ) to compute the unique string. Based on the contents of the tag, someone can determine if a webmaster owns different sites on the same domain, but not if the webmaster owns sites on different domains. For instance, someone can determine if the same webmaster owns https://www.example.com/ and https://subdomain.example.com/, but can't determine if the same webmaster owns https://www.example.com/ and https://www.google.com/.

What if my home page is not HTML content?

This method may not work for you. You must have a <head> section in order to be able to verify using this approach. Instead, try uploading a verification file to verify ownership of your site.

I've added my tag, but Google Sitemaps says it couldn't find it. Why?

Make sure your tag is in the first <head> section, and before the <body> section. Also ensure that it's not within the <style> tags or other specialized tags. The easiest way to make sure that the placement is one we can recognize is placing it right after your opening <head> tag, as follows:

<head>
  <meta name="verify-v1" content="unique-string">