Skip to content

[Challenges] Referer Header #26222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: production
Choose a base branch
from
Open

[Challenges] Referer Header #26222

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b0e179e
update referer header issue description
patriciasantaana Oct 30, 2025
7cb76c1
Merge branch 'production' into patricia/pcx19847-gtm
patriciasantaana Oct 31, 2025
0a60edc
wording + link
patriciasantaana Oct 31, 2025
c93c09a
Merge branch 'production' into patricia/pcx19847-gtm
patriciasantaana Nov 4, 2025
c8367d1
feedback
patriciasantaana Nov 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 41 additions & 3 deletions src/content/docs/cloudflare-challenges/troubleshooting/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,47 @@ Challenges are not supported by Microsoft Internet Explorer. If you are currentl

### Referer header

When a request is sent with a referer header, the user will receive a Challenge Page as a response. Upon solving the Challenge Page, the request with the referer is sent to the origin, and the response to the request is served to the user. The JavaScript on the response page may read the value of `document.referer`, but it will be inaccurate. This affects tools such as Google Analytics, which reads the referer from JavaScript.

You can add tracking scripts to Challenge Pages to capture the correct referer header on the initial request.
Your visitor's HTTP request contains a referer header set to the website that they came from. When they encounter and solve a Challenge Page, the request with the referer is sent to the origin, and the response to the request is served to the user. The JavaScript on the response page may read the value of `document.referer`, but it will not be accurate.

For example, a visitor coming from a given website is challenged by a [WAF rule](/waf/custom-rules/) via an interstitial Challenge Page served by your domain. Once the visitor loads the website's home page, the `document.referer` value is your domain, not the origin website.

This affects tools like Google Analytics, which reads the referer from JavaScript, since it replaces the previous website that visitors came from.

You can add tracking scripts, such as the Google Tag Manager Javascript, within an existing [Challenge Page](/rules/custom-errors/) to capture the correct referer header on the initial request.

```js title="Example JavaScript"
<script>
(function () {
const gaIds = {
"<YOUR_DOMAIN>": "<GA_TRACKING_ID>",
};

const gaId = gaIds[window.location.hostname];

if (gaId) {
const src = "https://www.googletagmanager.com/gtag/js?id=";

const gaScript = document.createElement("script");
gaScript.src = src.concat(gaId);
document.body.appendChild(gaScript);

window.dataLayer = window.dataLayer || [];
function gtag() {
dataLayer.push(arguments);
}
gtag("js", new Date());
gtag("config", gaId);
} else {
console.warn(
"Google Analytics ID not found for host:",
window.location.hostname,
);
}
})();
</script>
</body>

```

### Cross-origin resource sharing (CORS) preflight requests

Expand Down