Vercel Community

[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live)

[Help](/c/help/9)

# Vercel Firewall challenges strip Referer header causing organic traffic attribution loss

1 view · 0 likes · 1 post


Mikelabs (@mikelabs) · 2026-04-10

## Problem

Vercel Firewall’s Challenge flow (JS challenge, managed challenge) uses `location.reload()` after a user passes the challenge. This is a known Chromium behavior: `location.reload()` does not preserve the `Referer` header on the subsequent request. The result is that every user who passes a Vercel Firewall challenge arrives at your site with no referrer - regardless of where they came from.

This means all organic search traffic (Google, Bing, DuckDuckGo, etc.) that gets challenged is silently reclassified as `direct / (not set)` in every analytics tool: `GA4`, Adobe Analytics, Vercel Analytics, Plausible, Fathom — anything that relies on the `Referer` header or `document.referrer` for source attribution.

## The Scale

On my site, Google Search Console reports ~400-500 organic clicks/day. Bing Webmaster Tools reports another ~200-300. `GA4` shows only ~30-50 organic sessions. That’s an 85-90% attribution loss. The missing sessions aren’t gone, but instead they show up as `direct / (none)`, inflating direct traffic by exactly the amount organic drops.

## The Proof

I ran a controlled test on January 5, 2026:

*   **Firewall disabled for 2 hours:** 75 organic search sessions with correct referrers (`google.com`, `bing.com`, `duckduckgo.com`, etc.). Extrapolated to ~900/day — matching Search Console + Bing Webmaster volumes.
*   **Firewall re-enabled:** Referrers immediately disappeared. All traffic resumed showing as direct.

Same site. Same `GA4` config. Same traffic sources. Same day. Only variable: Vercel Firewall on/off.

## Vercel’s Acknowledgment

Vercel support (case #00904165) confirmed the issue:

*   **Jan 10:** Vercel’s own Observability query showed the direct-traffic spike correlating with firewall enablement.
*   **Feb 5:** Vercel engineers reproduced the bug internally and confirmed a redesign of the challenge completion flow is required.
*   **Feb 16:** Support engineer stated: 
> "The fundamental issue is that `location.reload()` doesn’t preserve the referrer, and that’s the underlying mechanism our challenge service depends on."

Then the case was closed without a fix, without a timeline, and without a workaround. Follow-ups in March and April have gone unanswered.

## Who is Affected

You are! Every Vercel customer who:

1.  Uses Firewall Challenge rules (JS challenge, managed challenge, attack challenge mode)
2.  Relies on referrer-based analytics for any purpose

This is likely massively underreported because:

*   Most people don’t cross-reference `GA4` with Search Console at the level needed to spot this
*   The total session count stays roughly the same (organic → direct shift), so dashboards don’t show an obvious drop
*   If you’re not doing SEO, you might never notice your organic attribution is wrong

## The Workaround (Imperfect)

You can add a Firewall bypass rule for requests with a search engine `Referer` header + `GET` method + non-API paths. This lets organic search traffic skip the challenge. The obvious downside is that anyone can spoof a `Referer` header, so this weakens your challenge coverage for page-level requests.

## What Vercel Needs to Do

The fix is straightforward in concept: instead of using `location.reload()` after a successful challenge, Vercel needs to use a mechanism that preserves the original request’s `Referer` header. Options include server-side session validation (challenge result stored server-side, original request replayed without client-side reload), or a redirect that carries the original referrer through.

This has been confirmed as necessary by Vercel’s own engineering team. It just hasn’t been prioritized.

## Why I’m Posting This Publicly

Four months of support tickets, controlled tests, screenshots, HAR files, and detailed write-ups have produced an acknowledgment but no action. The case was closed, reopened, transferred, and is now being ignored. A billing credit request has also gone unanswered.

If you use Vercel Firewall, please check your own analytics. Compare `GA4` organic traffic to Search Console clicks. If you see a similar gap, you’re affected too — and Vercel needs to know this isn’t a single-customer issue.