The War on Tracking: Why One Developer Banned All Query Strings
In an era of pervasive digital surveillance, the URL has become more than just a locator; it has become a tracking beacon. From utm_source to fbclid, giant platforms routinely append long strings of tracking parameters to outgoing links, often without the consent of the destination site or the user.
Chris Morgan, a web developer, recently took a hardline stance against this practice by implementing a blanket ban on unauthorized query strings for his personal website. This move has sparked a spirited debate on Hacker News about the intersection of web standards, user experience, and the philosophy of the "independent web."
The Case Against Query String Bloat
Morgan's motivation is straightforward: a distaste for the "abuse" of users and the pollution of URLs. When a third-party site appends tracking parameters to a link pointing to another's site, they are essentially hijacking the destination URL for their own telemetry.
As Morgan puts it, if he wanted to know where his traffic was coming from, he would check the Referer header. By adding query strings, the referring site is not providing a service to the destination, but rather creating a permanent record of the referral that persists even when the link is copied and shared manually.
This "bloat" is not just a matter of aesthetics. Many users find it frustrating to share a link only to realize it is thousands of characters long due to embedded tracking IDs. One commenter shared a practical workaround for this, utilizing a bookmarklet to strip query parameters before sharing:
javascript:(()=>navigator.clipboard.writeText(location.origin+location.pathname))();
Technical Implementation and the "Sassy" Server
Morgan implemented this ban via his Caddyfile (the configuration file for the Caddy web server). Instead of simply ignoring the unknown parameters—which is what most servers do—his site responds with an error. Specifically, he uses a 414 URI Too Long response, though he admits this is more for the humor of it than technical accuracy. He even included a special case for requests that end in a trailing question mark without parameters.
From a standards perspective, this is permissible. As one commenter noted after reviewing W3C standards, a query string is essentially a percent-encoded string following a ?. While URLSearchParams provides a standard way to parse these in JavaScript, the server is ultimately free to decide how to handle them. A 404 Not Found or 400 Bad Request would be technically appropriate for an unexpected query string, as it is as much a part of the URL API as the path itself.
The Counter-Argument: User Hostility vs. Site Autonomy
While many praised the move as a bold reclamation of the "small web," others argued that it is fundamentally hostile to the end user. The core of the criticism is that the user rarely controls the link they click. If a user clicks a link on Facebook or Instagram that has been automatically appended with a tracking ID, they are penalized with an error page through no fault of their own.
Critics argue that this approach punishes the victim of the tracking rather than the tracker. Suggested alternatives include:
- Silent Stripping: Redirecting the user to the same URL but without the query string.
- Educational Interstitials: Displaying a page that informs the user that tracking "gubbins" were found and offering a clean link to click.
- Permissive Ignoring: Simply ignoring the parameters and serving the content, which is the default behavior for most of the web.
The Broader Philosophical Divide
The discussion reveals a deeper tension in how we view the web. On one side is the "laissez-faire" view: the web is a permissionless hyperlanguage where outlink authors can craft URLs however they wish. In this view, strictness is seen as "prudishness" that contradicts the loose coupling that allowed the web to scale.
On the other side is the view of the web as a collection of sovereign digital spaces. In this framework, a website owner has the absolute right to define the interface of their server. As Morgan asserts, "It’s my website: I can do what I want with it."
Beyond Tracking: The Utility of Query Strings
It is also worth noting that query strings are not exclusively for tracking. They are essential for search queries, pagination, and certain types of dynamic content. Some users even use them for personal organization; one commenter mentioned using a date query string to create unique archives of the same page in a bookmark manager.
Ultimately, the ban on query strings is a symbolic act. While it may not stop the industry-wide trend of tracking, it serves as a technical protest against the invisible infrastructure of the modern web, reminding us that the server—and the person running it—still has a choice in how they interact with the rest of the internet.