Problem
Vercel Firewall’s Challenge flow (JS challenge, managed challenge) uses location.reload() after a user passes the challenge. This is a known Chromium behavior: location.reload() does not preserve the Referer header on the subsequent request. The result is that every user who passes a Vercel Firewall challenge arrives at your site with no referrer - regardless of where they came from.
This means all organic search traffic (Google, Bing, DuckDuckGo, etc.) that gets challenged is silently reclassified as direct / (not set) in every analytics tool: GA4, Adobe Analytics, Vercel Analytics, Plausible, Fathom — anything that relies on the Referer header or document.referrer for source attribution.
The Scale
On my site, Google Search Console reports ~400-500 organic clicks/day. Bing Webmaster Tools reports another ~200-300. GA4 shows only ~30-50 organic sessions. That’s an 85-90% attribution loss. The missing sessions aren’t gone, but instead they show up as direct / (none), inflating direct traffic by exactly the amount organic drops.
The Proof
I ran a controlled test on January 5, 2026:
- Firewall disabled for 2 hours: 75 organic search sessions with correct referrers (
google.com,bing.com,duckduckgo.com, etc.). Extrapolated to ~900/day — matching Search Console + Bing Webmaster volumes. - Firewall re-enabled: Referrers immediately disappeared. All traffic resumed showing as direct.
Same site. Same GA4 config. Same traffic sources. Same day. Only variable: Vercel Firewall on/off.
Vercel’s Acknowledgment
Vercel support (case #00904165) confirmed the issue:
- Jan 10: Vercel’s own Observability query showed the direct-traffic spike correlating with firewall enablement.
- Feb 5: Vercel engineers reproduced the bug internally and confirmed a redesign of the challenge completion flow is required.
- Feb 16: Support engineer stated:
“The fundamental issue is that
location.reload()doesn’t preserve the referrer, and that’s the underlying mechanism our challenge service depends on.”
Then the case was closed without a fix, without a timeline, and without a workaround. Follow-ups in March and April have gone unanswered.
Who is Affected
You are! Every Vercel customer who:
- Uses Firewall Challenge rules (JS challenge, managed challenge, attack challenge mode)
- Relies on referrer-based analytics for any purpose
This is likely massively underreported because:
- Most people don’t cross-reference
GA4with Search Console at the level needed to spot this - The total session count stays roughly the same (organic → direct shift), so dashboards don’t show an obvious drop
- If you’re not doing SEO, you might never notice your organic attribution is wrong
The Workaround (Imperfect)
You can add a Firewall bypass rule for requests with a search engine Referer header + GET method + non-API paths. This lets organic search traffic skip the challenge. The obvious downside is that anyone can spoof a Referer header, so this weakens your challenge coverage for page-level requests.
What Vercel Needs to Do
The fix is straightforward in concept: instead of using location.reload() after a successful challenge, Vercel needs to use a mechanism that preserves the original request’s Referer header. Options include server-side session validation (challenge result stored server-side, original request replayed without client-side reload), or a redirect that carries the original referrer through.
This has been confirmed as necessary by Vercel’s own engineering team. It just hasn’t been prioritized.
Why I’m Posting This Publicly
Four months of support tickets, controlled tests, screenshots, HAR files, and detailed write-ups have produced an acknowledgment but no action. The case was closed, reopened, transferred, and is now being ignored. A billing credit request has also gone unanswered.
If you use Vercel Firewall, please check your own analytics. Compare GA4 organic traffic to Search Console clicks. If you see a similar gap, you’re affected too — and Vercel needs to know this isn’t a single-customer issue.