Implement HTTP to HTTPs redirect preserving Google Analytics referrer

Question

Google Analytics shows a suspicious amount of (direct)/(none) as source for my website. I know that when an HTTP website is linked from an HTTPs website, the referrer information is lost.

In my case, I have a secure website https://example.com and I use the following Apache settings to forward users in case they try to access the non-secure version:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
RewriteRule ^([^\.]+)$ $1.html [NC,L]

Of course, I cannot control whether an external (secure) website links me via http or https.

Now my questions are:

• why referrer information is lost from https to http?
• if an external website links me as http://example.com, will this be showed as direct in analytics?
• is there a way to redirect the user to the secure website, while preserving the referrer?

Answer 1

This is due to security:

Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information.

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead

This behaviour is better explained here:

When going between HTTP and HTTPS the HTTP spec says that a referer header should NOT be sent (see 15.1.3 in RFC2616). The spec doesn't say what should happen between HTTPS pages however.

---

Your question has been tackled on StackOverflow before. See this one.

Some fixes proposed:

1) For some browsers, you could simply add a new metatag to your page: <meta name="referrer" content="always"> or <meta name="referrer" content="origin">. Learn more about this meta. Differences in browser support can be found here.

2) You could use an intermediary page which tracks the pageview while the referrer is there (http): http://page.com/reditect?url=https://page.com/finalpage.htm where /redirect will make a call to Analytics to track finalpage.htm with referrer included before redirecting there. See full explanation.

3) You could add a parameter on the 301 redirect and override the referrer information with ga('set', 'referrer', 'http://example.com');. See full explanation. This could be combined with the previous point and avoid tracking on the intermediary page, but gather the data of the referrer.