Comment by kijin

If there's a query parameter that you have a legitimate use for, like `q` for searching, obviously you should configure your web server to let it through.

Even in that case, you might want to block unexpected values as early as possible in your stack. For example, if you have a legitimate use for a certain set of `utm_source` values, but someone sends you bobby tables, you probably shouldn't log it blindly.

Ditto for the Referer header -- there's a lot of spam, and some of those strings might even be dangerous. You can't trust any of them anymore.