Analytics
2K members online now
2K members online now
Dive into multiple domain (Cross/Sub) tracking, implementing Ecommerce and Enhanced Ecommerce, setting up Event tracking, and Universal Analytics code.
 
Guide Me
star_border
Reply

Preventing the Referer HTTP header from being sent to Google Analytics

Visitor ✭ ✭ ✭
# 1
Visitor ✭ ✭ ✭

Hello,

 

We are looking at using Google Analytics for real-time user monitoring with an enterprise web application using the events API (not pageview).

 

Our web application MAY contain with Personally Identifiable Information (PII) or Protected Health Information (PHI) within the page URL, so we want to ensure that the Referer HTTP header is not sent to Google.

 

The only solution we've found so far is to put a proxy between our web-application and Google that strips out the Referer header. This approach also has the side effect of the Google tracking cookie also not being sent, which our security and compliance team is also in favour of.

 

However, to do this requires that we modify the /analytics.js file served by Google so the www.google-analytics.com domain is replaced with the domain of our proxy.

 

There is some concern that we are in breach of the Google Analytics terms of service with this approach. And we have to periodically check that the original analytics.js file hasn't been changed.

 

Is there anyone here in this forum that has solved this problem another way?

 

Or is there a Google representative here that can help determine if this solution is acceptable with respect to the GA Terms of Service, or knows of other options that we can consider?

 

Thanks,

David

1 Expert replyverified_user

Re: Preventing the Referer HTTP header from being sent to Google Analytics

Participant ✭ ☆ ☆
# 2
Participant ✭ ☆ ☆
Hi David,

I will recommend to post this into Analytics section.

https://www.en.advertisercommunity.com/t5/Google-Analytics/ct-p/Google_Analytics

They will help you in better way.

Thanks,
Anand

Re: Preventing the Referer HTTP header from being sent to Google Analytics

Explorer ✭ ☆ ☆
# 3
Explorer ✭ ☆ ☆
Hi david,
I have 2 suggestion:
user virtual url so you can define what you want to see on the url
https://developers.google.com/analytics/devguides/collection/analyticsjs/pages#tracking_virtual_page...

this because event continue to pass the url of the page.

The second suggestion is to use firebase analytics for web app.
Regards
Fil

Re: Preventing the Referer HTTP header from being sent to Google Analytics

Visitor ✭ ✭ ✭
# 4
Visitor ✭ ✭ ✭
Thanks for the feedback. We're not immediately concerned about page view information at present, so I'm not sure that the virtual page view information for HTML5 history push state changes will help. And, unfortunately, we don't have the option of changing the URL of the pages we are explicitly tracking user events for.

We're already scrubbing the location URL that is sent as a query parameter to Google Analytics, but that doesn't prevent the Referer heading from including the page URL (as there is no way to manipulate that standard browser HTTP behaviour from JavaScript).

Firebase will still have a similar problem due to the Referer heading automatically being included by the browser with the HTTP request to the 3rd party service used for the recording the event information.

Re: Preventing the Referer HTTP header from being sent to Google Analytics

Top Contributor
# 5
Top Contributor

Another way to get rid of referrer information is to *force* a referrer:

 

ga('set', 'referrer', 'http://thisreferralsite.com');

 

VP & Chief Evangelist at Hub'Scan | Contact me
Level 80 Digital Analytics Warrior, KPI Therapist and Keeper of the One True Tagging Plan

Re: Preventing the Referer HTTP header from being sent to Google Analytics

Visitor ✭ ✭ ✭
# 6
Visitor ✭ ✭ ✭
Hello,

Forcing the referer through the ga("set") function just changes the Referer information that is sent in the query parameters to Google Analytics. It overrides the Referer available via JavaScript using document.referer, e.g. the Referer to the page that is currently being viewed.

It doesn't change the Referer HTTP header that is sent to Google in the HTTP request, which contains the URL of the page currently being viewed.

Re: Preventing the Referer HTTP header from being sent to Google Analytics

Explorer ✭ ☆ ☆
# 7
Explorer ✭ ☆ ☆
did you try to add your proxy domain into referrer exclusion list?

Re: Preventing the Referer HTTP header from being sent to Google Analytics

Visitor ✭ ✭ ✭
# 8
Visitor ✭ ✭ ✭
Also, we've looked into using the relatively new Referrer header policy (https://w3c.github.io/webappsec-referrer-policy/) but this isn't supported by all of the browsers that we support.

Re: Preventing the Referer HTTP header from being sent to Google Analytics

Top Contributor
# 9
Top Contributor
To be frank, I haven't faced that use case yet.
Maybe you could fake a source/medium and as a result turn your referrer into a non-referrer? But that would mess up with your channels and such.
Alternatively, is the issue about passing any referrer data at all? Because you could use a view filter to truncate referrer information.
VP & Chief Evangelist at Hub'Scan | Contact me
Level 80 Digital Analytics Warrior, KPI Therapist and Keeper of the One True Tagging Plan

Re: Preventing the Referer HTTP header from being sent to Google Analytics

Visitor ✭ ✭ ✭
# 10
Visitor ✭ ✭ ✭
@Julien, our overall solution needs to be HIPAA compliant. We can't send any potential PII or PHI to Google Analytics regardless of whether that information can be filtered out of the reports that they present based on the information we sent through the ga() JS functions.

Sorry, I don't understand the fake source/medium concept. Do you mean so the Referer to the current page is something else? If so, I don't think that helps as standard browser behaviour is to send the current page URL in the HTTP Referer header in any HTTP requests from the current page.

At the moment, there is some risk of PII or PHI being leaked to Google Analytics through the standard HTTP referer header (regardless of any of the Referer capability that the Google JS APIs provide) due to our current page URL (and query parameter) structure. We have this same issue with any other real-time user monitoring service hosted in the cloud.

@Anand, do you mean posting this question in another one of the Boards within this forum?