No query strings here either

Summary

A couple of weeks ago, Chris Morgan published I've banned query strings. I read it, liked it and then did roughly the same thing on my own site - with two deliberate differences. Chris's opening sums up the motivation better than I could: I don't like people adding tracking stuff to URLs. Still less do I like people adding tracking stuff to my URLs. [...] UTM parameters are for me to use, not you. Leave my URLs alone. From chrismorgan.info/no-query-strings The premise is the same here. A ?utm_source=... or ?ref=... tacked onto one of my URLs by some intermediary is, at best, noise I never asked for and at worst a tracker the referrer is using to nudge my visitor's behaviour into a funnel. I'd rather refuse to serve those requests than pretend they're a legitimate way to reach a page on my site. I'm also a fan of having one true canonical URL to all my pages. Where I differ from Chris 1. cache-busters like ?v=<digits> are allowed Chris went for a true blanket ban - including breaking old cache-busting URLs like ?t=... and ?h=... that his site used to serve. That's likely the right call when none of those URLs are still in circulation. In any case, those might only be used for static assets anyways, where people don't have bookmarks to. My situation is slightly different: I actively use ?v=<n> as a cache buster on assets I serve today. The very HTML you're reading links to main.css?v=1. I use it so that I can set a very high Cache-Control: max-age: ... on static assets. If I matched Chris's strictness I'd have to either give up on query-string cache busting (and switch to fingerprinted filenames or Cache-Control juggling), or break my own page load on every bump. So my rule is a narrow allowlist: everything is blocked, except ?v=<digits>. The matcher is intentionally strict - the whole query string must be exactly v= followed by digits, nothing else, no extra parameters smuggled in alongside. (no_query_strings) { @bad_query `{http.request.orig_uri}.contains("?") && !{...