9

Google Analytics shows a suspicious amount of (direct)/(none) as source for my website. I know that when an HTTP website is linked from an HTTPs website, the referrer information is lost.

In my case, I have a secure website https://example.com and I use the following Apache settings to forward users in case they try to access the non-secure version:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
RewriteRule ^([^\.]+)$ $1.html [NC,L]

Of course, I cannot control whether an external (secure) website links me via http or https.

Now my questions are:

  • why referrer information is lost from https to http?
  • if an external website links me as http://example.com, will this be showed as direct in analytics?
  • is there a way to redirect the user to the secure website, while preserving the referrer?
Marco Ancona
  • 2,073
  • 3
  • 22
  • 37

1 Answers1

5

This is due to security:

Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information.

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead

This behaviour is better explained here:

When going between HTTP and HTTPS the HTTP spec says that a referer header should NOT be sent (see 15.1.3 in RFC2616). The spec doesn't say what should happen between HTTPS pages however.

Your question has been tackled on StackOverflow before. See this one.

Some fixes proposed:

1) For some browsers, you could simply add a new metatag to your page: <meta name="referrer" content="always"> or <meta name="referrer" content="origin">. Learn more about this meta. Differences in browser support can be found here.

2) You could use an intermediary page which tracks the pageview while the referrer is there (http): http://page.com/reditect?url=https://page.com/finalpage.htm where /redirect will make a call to Analytics to track finalpage.htm with referrer included before redirecting there. See full explanation.

3) You could add a parameter on the 301 redirect and override the referrer information with ga('set', 'referrer', 'http://example.com');. See full explanation. This could be combined with the previous point and avoid tracking on the intermediary page, but gather the data of the referrer.

Community
  • 1
  • 1
nitobuendia
  • 1,228
  • 7
  • 18
  • Just as spam, but these options are the best solving this issue. – Kemen Paulos Plaza May 19 '17 at 08:10
  • Number 1) requires the meta tag to be set in the origin website, doesn't it? So it is not really a feasible fix – Marco Ancona May 19 '17 at 10:48
  • Then, try 2 ;) The only thing I can think of on the bad side is that it is possible that the rebound rate goes a bit down, because you track a pageview on the redirect (to get referrer to a certain landing) and then once redirected. I guess you need to make trade-offs at some point. – nitobuendia May 20 '17 at 02:57