As I understand it, the parameter is a means of tracking the site visitor so that if your site includes advertising from Facebook, they can customise it to match the recorded browsing habits of the visitor.
The Apache mod_rewrite
solution above is problematic because it strips the entire query string. If the URL already had a query string, this will break it. To strip just the fbclid
parameter, it's useful to note that Facebook always appends it to a URL, so it's always last. That simplies the mod_rewrite
code a little. This is what I do:
# Strip Facebook spyware tokens
RewriteCond %{REQUEST_METHOD} =GET [NC,OR]
RewriteCond %{REQUEST_METHOD} =HEAD [NC]
RewriteCond %{QUERY_STRING} ^(.*)&?fbclid=[^&]+$ [NC]
RewriteRule ^/?(.*)$ /$1?%1 [NE,L,R=301,E=limitcache:1]
Header always set Cache-Control "max-age=604800" env=limitcache
The E=limitcache:1
flag and Header
directive is to limit how long the 301 redirect is cached. By default many browsers cache it literally forever. This reduces that to one week (or 604,800 seconds). I may be in a minority in thinking this, but that seems good practice to me. I don't know how long fbclid
tokens persist, but if they're long-lasting, it means Facebook will be directing visitors to the same URLs for a long time, and if you ever want to support Facebook's targeted adverts, or if they start using the fbclid
for other functionality that you need, you may find these permanently-cached redirects come back to bite. But if you're willing to risk it, you can delete both the Header
directive and the E=limitcache:1
flag.
The two tests of %{REQUEST_METHOD}
are to prevent Apache from redirecting POST requests (or more esoteric requests like PUT or DELETE, if they're relevant). Most browsers change the request to be a GET requests on a 301 or 302 redirect, which is explicitly allowed by RFC 7231. There is a new 308 redirect code must not have its method rewritten, but unfortunately it's not supported by Internet Explorer on Windows 7 (and probably never will be).