Chris Morgan blocks all unauthorized query strings on his site via Caddy, returning 414, to protest tracking and ref parameters added by third parties.
Key Takeaways
The ban covers all query strings not explicitly authorized; currently none are used, so all query strings return an error.
Implementation is a Caddyfile rule, making this a trivial ops change any self-hoster can replicate.
Morgan uses 414 URI Too Long deliberately over 400/404, for tone rather than strict correctness.
Past cache-busting params (?t=, ?h=) are intentionally broken; Morgan accepts that tradeoff.
The post frames ?utm_* and ?ref= params as abuse of the destination site’s URL namespace.
Hacker News Comment Review
Core confusion in comments: most readers could not articulate actual harm to the destination site from ?ref= or ?utm_* params, since the server ignores them and the Referer header already exposes origin.
Technical debate centered on correct HTTP status: 414 is pedantically wrong (URI isn’t too long); 400 or 403 are more defensible, with 402 and 418 floated as jokes.
Historical context noted: query-string-only routing (e.g., index.php?p=home) was common in early CMSs, so blanket rejection would have broken those sites entirely, validating per-site discretion.
Notable Comments
@wodenokoto: Raises the legitimate question of how ?ref= harms the destination site, noting the confusion about who actually benefits.
@0x62: Explains ?ref= is marketing signal for the origin site, useful for niche partnership discovery, not malicious to the destination.
