Html redirect header

Html redirect header DEFAULT

Redirections in HTTP

URL redirection, also known as URL forwarding, is a technique to give more than one URL address to a page, a form, or a whole Web site/application. HTTP has a special kind of response, called a HTTP redirect, for this operation.

Redirects accomplish numerous goals:

  • Temporary redirects during site maintenance or downtime
  • Permanent redirects to preserve existing links/bookmarks after changing the site's URLs, progress pages when uploading a file, etc.


In HTTP, redirection is triggered by a server sending a special redirect response to a request. Redirect responses have status codes that start with , and a header holding the URL to redirect to.

When browsers receive a redirect, they immediately load the new URL provided in the header. Besides the small performance hit of an additional round-trip, users rarely notice the redirection.

There are several types of redirects, sorted into three categories:

  1. Permanent redirections
  2. Temporary redirections
  3. Special redirections

Permanent redirections

These redirections are meant to last forever. They imply that the original URL should no longer be used, and replaced with the new one. Search engine robots, RSS readers, and other crawlers will update the original URL for the resource.

CodeTextMethod handlingTypical use case
methods unchanged. Others may or may not be changed to . [1]Reorganization of a Web site.
Method and body not changed.Reorganization of a Web site, with non-GET links/operations.

[1] The specification did not intend to allow method changes, but there are existing user agents that do change their method. was created to remove the ambiguity of the behavior when using non- methods.

Temporary redirections

Sometimes the requested resource can't be accessed from its canonical location, but it can be accessed from another place. In this case, a temporary redirect can be used.

Search engine robots and other crawlers don't memorize the new, temporary URL. Temporary redirections are also used when creating, updating, or deleting resources, to show temporary progress pages.

CodeTextMethod handlingTypical use case
methods unchanged. Others may or may not be changed to . [2]The Web page is temporarily unavailable for unforeseen reasons.
methods unchanged. Others changed to (body lost).Used to redirect after a or a , so that refreshing the result page doesn't re-trigger the operation.
Method and body not changedThe Web page is temporarily unavailable for unforeseen reasons. Better than when non- operations are available on the site.

[2] The specification did not intend to allow method changes, but there are existing user agents that do change their method. was created to remove the ambiguity of the behavior when using non- methods.

Special redirections

(Not Modified) redirects a page to the locally cached copy (that was stale), and (Multiple Choice) is a manual redirection: the body, presented by the browser as a Web page, lists the possible redirections and the user clicks on one to select it.

CodeTextTypical use case
Not many: the choices are listed in an HTML page in the body. Machine-readable choices are encouraged to be sent as headers with .
Sent for revalidated conditional requests. Indicates that the cached response is still fresh and can be used.

Alternative way of specifying redirections

HTTP redirects aren't the only way to define redirections. There are two others:

  1. HTML redirections with the element
  2. JavaScript redirections via the DOM

HTML redirections

HTTP redirects are the best way to create redirections, but sometimes you don't have control over the server. In that case, try a element with its attribute set to in the of the page. When displaying the page, the browser will go to the indicated URL.

The attribute should start with a number indicating how many seconds the browser should wait before redirecting to the given URL. Always set it to for accessibility compliance.

Obviously, this method only works with HTML, and cannot be used for images or other types of content.

JavaScript redirections

Redirections in JavaScript are performed by setting a URL string to the property, loading the new page:

Like HTML redirections, this can't work on all resources, and obviously, this will only work on clients that execute JavaScript. On the other hand, there are more possibilities: for example, you can trigger the redirect only if some conditions are met.

Order of precedence

With three ways to trigger redirections, several ways can be used at the same time. But which is applied first?

  1. HTTP redirects always execute first — they exist when there is not even a transmitted page.
  2. HTML redirects () execute if there weren't any HTTP redirects.
  3. JavaScript redirects execute last, and only if JavaScript is enabled.

When possible, use HTTP redirects and don't add element redirects. If someone changes the HTTP redirects but forgets to change the HTML redirects, the redirects will no longer be identical, which could cause an infinite loop or other nightmares.

Use cases

There are numerous use cases for redirects, but as performance is impacted with every redirect, their use should be kept to a minimum.

Domain aliasing

Ideally, there is one location, and therefore one URL, for each resource. But there are reasons for alternative names for a resource:

Expanding the reach of your site

A common case is when a site resides at , but accessing it from should also work. Redirections for to are thus set up. You might also redirect from common synonyms or frequent typos of your domains.

Moving to a new domain

For example, your company was renamed, but you want existing links or bookmarks to still find you under the new name.

Forcing HTTPS

Requests to the version of your site will redirect to the version of your site.

Keeping links alive

When you restructure Web sites, URLs change. Even if you update your site's links to match the new URLs, you have no control over the URLs used by external resources.

You don't want to break these links, as they bring valuable users and help your SEO, so you set up redirects from the old URLs to the new ones.

Note: This technique does work for internal links, but try to avoid having internal redirects. A redirect has a significant performance cost (as an extra HTTP request occurs). If you can avoid it by correcting internal links, you should fix those links instead.

Temporary responses to unsafe requests

Unsafe requests modify the state of the server and the user shouldn't resend them unintentionally.

Typically, you don't want your users to resend , or requests. If you serve the response as the result of this request, a simple press of the reload button will resend the request (possibly after a confirmation message).

In this case, the server can send back a (See Other) response for a URL that will contain the right information. If the reload button is pressed, only that page is redisplayed, without replaying the unsafe requests.

Temporary responses to long requests

Some requests may need more time on the server, like requests that are scheduled for later processing. In this case, the response is a (See Other) redirect that links to a page indicating that the action has been scheduled, and eventually informs about its progress, or allows to cancel it.

Configuring redirects in common servers


Redirects can be set either in the server config file or in the of each directory.

The module has and directives that set up redirects by default:

The URL will be redirected to , as will any files or directories under it ( will be redirected to )

does the same, but takes a regular expression to define a collection of affected URLs:

RedirectMatch ^/images/(.*)$$1

All documents in the directory will redirect to a different domain.

If you don't want a temporary redirect, an extra parameter (either the HTTP status code to use or the keyword) can be used to set up a different redirect:

Redirect permanent / # …acts the same as: Redirect 301 /

The module can also create redirects. It is more flexible, but a bit more complex.


In Nginx, you create a specific server block for the content you want to redirect:

server { listen 80; server_name; return 301 $scheme://$request_uri; }

To apply a redirect to a directory or only certain pages, use the directive:

rewrite ^/images/(.*)$$1 redirect; rewrite ^/images/(.*)$$1 permanent;


In IIS, you use the element to configure redirections.

Redirection loops

Redirection loops happen when additional redirections follow the one that has already been followed. In other words, there is a loop that will never be finished and no page will ever be found.

Most of the time this is a server problem, and if the server can detect it, it will send back a . If you encounter such an error soon after modifying a server configuration, this is likely a redirection loop.

Sometimes, the server won't detect it: a redirection loop can spread over several servers which each don't have the full picture. In this case, browsers will detect it and display an error message. Firefox displays:

Firefox has detected that the server is redirecting the request for this address in a way that will never terminate.

…while Chrome displays:

This Webpage has a redirect loop

In both cases, the user can't do much (unless corruption is happening on their side, like a mismatch of cache or cookies).

It is important to avoid redirection loops, as they completely break the user experience.


How to redirect from an HTML page?

Page redirection is a situation where you clicked a URL to reach a page X but internally you were directed to another page Y. It happens due to page redirection.

To redirect from an HTML page, use the META Tag. With this, use the http-equiv attribute to provide an HTTP header for the value of the content attribute. The value in the content is the number of seconds; you want the page to redirect after.

Set the content attribute to 0, if you want it to load immediately.

The following is an example of redirecting current page to another page after 0 seconds.


Live Demo

<!DOCTYPE html> <html>    <head>       <title>HTML Meta Tag</title>       <meta http-equiv = "refresh" content = "2; url =" />    </head>    <body>       <p>Hello HTML5!</p>    </body> </html>
  1. Gt mustang 2005
  2. Fiberglass material suppliers
  3. Obs merchandise

URL redirection

Technique for making a Web page available under more than one URL address

For URL redirection on Wikipedia, see Wikipedia:Redirect.

URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL domain are redirected to a different domain, as when and are automatically redirected to

URL redirection is done for various reasons:

  • for URL shortening;
  • to prevent broken links when web pages are moved;
  • to allow multiple domain names belonging to the same owner to refer to a single web site;
  • to guide navigation into and out of a website;
  • for privacy protection; and
  • for hostile purposes such as phishing attacks or malware distribution.


There are several reasons to use URL redirection:

Forcing HTTPS[edit]

A website may potentially be accessible over both a secure HTTPS URI scheme and plain HTTP (an insecure URI beginning with "http://").

If a user types in a URI or clicks on a link that refers to the insecure variant, the browser will automatically redirect to the secure version in case the website is contained in the HSTS preload list shipped with the application or if the user had already visited the origin in the past.

Otherwise the website will be contacted over HTTP. A website operator may decide to serve such requests by redirecting the browser to the HTTPS variant instead and hopefully also priming HSTS for future accesses.

Similar domain names[edit]

A user might mistype a URL. Organizations often register these "misspelled" domains and redirect them to the "correct" location. This technique is often used to "reserve" other top-level domains (TLD) with the same name, or make it easier for a ".edu" or ".net" site to accommodate users who type ".com".

Moving pages to a new domain[edit]

Web pages may be redirected to a new domain for three reasons:

  • a site might desire, or need, to change its domain name;
  • an author might move their individual pages to a new domain;
  • two web sites might merge.

With URL redirects, incoming links to an outdated URL can be sent to the correct location. These links might be from other sites that have not realized that there is a change or from bookmarks/favorites that users have saved in their browsers. The same applies to search engines. They often have the older/outdated domain names and links in their database and will send search users to these old URLs. By using a "moved permanently" redirect to the new URL, visitors will still end up at the correct page. Also, in the next search engine pass, the search engine should detect and use the newer URL.

Logging outgoing links[edit]

The access logs of most web servers keep detailed information about where visitors came from and how they browsed the hosted site. They do not, however, log which links visitors left by. This is because the visitor's browser has no need to communicate with the original server when the visitor clicks on an outgoing link. This information can be captured in several ways. One way involves URL redirection. Instead of sending the visitor straight to the other site, links on the site can direct to a URL on the original website's domain that automatically redirects to the real target. This technique bears the downside of the delay caused by the additional request to the original website's server. As this added request will leave a trace in the server log, revealing exactly which link was followed, it can also be a privacy issue.[1] The same technique is also used by some corporate websites to implement a statement that the subsequent content is at another site, and therefore not necessarily affiliated with the corporation. In such scenarios, displaying the warning causes an additional delay.

Short aliases for long URLs[edit]

Main article: URL shortening

Web applications often include lengthy descriptive attributes in their URLs which represent data hierarchies, command structures, transaction paths and session information. This practice results in a URL that is aesthetically unpleasant and difficult to remember, and which may not fit within the size limitations of microblogging sites. URL shortening services provide a solution to this problem by redirecting a user to a longer URL from a shorter one.[1]

Meaningful, persistent aliases for long or changing URLs[edit]

See also: Permalink, PURL, and Link rot

Sometimes the URL of a page changes even though the content stays the same. Therefore, URL redirection can help users who have bookmarks. This is routinely done on Wikipedia whenever a page is renamed.


Main article: Post/Redirect/Get

Post/Redirect/Get (PRG) is a web developmentdesign pattern that prevents some duplicate form submissions if the user clicks the refresh button after submitting the form, creating a more intuitive interface for user agents (users).

Device targeting and geotargeting[edit]

Redirects can be effectively used for targeting purposes like geotargeting. Device targeting has become increasingly important with the rise of mobile clients. There are two approaches to serve mobile users: Make the website responsive or redirect to a mobile website version. If a mobile website version is offered, users with mobile clients will be automatically forwarded to the corresponding mobile content. For device targeting, client-side redirects or non-cacheable server-side redirects are used. Geotargeting is the approach to offer localized content and automatically forward the user to a localized version of the requested URL. This is helpful for websites that target audience in more than one location and/or language. Usually server-side redirects are used for Geotargeting but client-side redirects might be an option as well, depending on requirements.[2]

Manipulating search engines[edit]

Redirects have been used to manipulate search engines with unethical intentions, e.g., URL hijacking. The goal of misleading redirects is to drive search traffic to landing pages, which do not have enough ranking power on their own or which are only remotely or not at all related to the search target. The approach requires a rank for a range of search terms with a number of URLs that would utilize sneaky redirects to forward the searcher to the target page. This method had a revival with the uprise of mobile devices and device targeting. URL hijacking is an off-domain redirect technique[3] that exploited the nature of the search engine's handling for temporary redirects. If a temporary redirect is encountered, search engines have to decide whether they assign the ranking value to the URL that initializes the redirect or to the redirect target URL. The URL that initiates the redirect may be kept to show up in search results, as the redirect indicates a temporary nature. Under certain circumstances it was possible to exploit this behavior by applying temporary redirects to well-ranking URLs, leading to a replacement of the original URL in search results by the URL that initialized the redirect, therefore "stealing" the ranking. This method was usually combined with sneaky redirects to re-target the user stream from the search results to a target page. Search engines have developed efficient technologies to detect these kinds of manipulative approaches. Major search engines usually apply harsh ranking penalties on sites that get caught applying techniques like these.[4]

Manipulating visitors[edit]

URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.[5] Because modern browsers always show the real URL in the address bar, the threat is lessened. However, redirects can also take you to sites that will otherwise attempt to attack in other ways. For example, a redirect might take a user to a site that would attempt to trick them into downloading antivirus software and installing a Trojan of some sort instead.

Removing information[edit]

When a link is clicked, the browser sends along in the HTTP request a field called referer which indicates the source of the link. This field is populated with the URL of the current web page, and will end up in the logs of the server serving the external link. Since sensitive pages may have sensitive URLs (for example, ), it is not desirable for the URL to leave the organization. A redirection page that performs referrer hiding could be embedded in all external URLs, transforming for example into . This technique also eliminates other potentially sensitive information from the referrer URL, such as the session ID, and can reduce the chance of phishing by indicating to the end user that they passed a clear gateway to another site.


Several different kinds of response to the browser will result in a redirection. These vary in whether they affect HTTP headers or HTML content. The techniques used typically depend on the role of the person implementing it and their access to different parts of the system. For example, a web author with no control over the headers might use a Refresh meta tag whereas a web server administrator redirecting all pages on a site is more likely to use server configuration.

Manual redirect[edit]

The simplest technique is to ask the visitor to follow a link to the new page, usually using an HTML anchor like:

Please follow <ahref="">this link</a>.

This method is often used as a fall-back — if the browser does not support the automatic redirect, the visitor can still reach the target document by following the link.

HTTP status codes 3xx[edit]

In the HTTPprotocol used by the World Wide Web, a redirect is a response with a status code beginning with 3 that causes a browser to display a different page. If a client encounters a redirect, it needs to make a number of decisions how to handle the redirect. Different status codes are used by clients to understand the purpose of the redirect, how to handle caching and which request method to use for the subsequent request.

HTTP/1.1 defines several status codes for redirection (RFC 7231):

  • 300 multiple choices (e.g. offer different languages)
  • 301 moved permanently (redirects permanently from one URL to another passing link equity to the redirected page)
  • 302 found (originally "temporary redirect" in HTTP/1.0 and popularly used for CGI scripts; superseded by 303 and 307 in HTTP/1.1 but preserved for backward compatibility)
  • 303 see other (forces a GET request to the new URL even if original request was POST)
  • 307 temporary redirect (provides a new URL for the browser to resubmit a GET or POST request)
  • 308 permanent redirect (provides a new URL for the browser to resubmit a GET or POST request)

Status codes 304 not modified and 305 use proxy are not redirects.

HTTP Status CodeHTTP VersionTemporary / PermanentCacheableRequest Method Subsequent Request
301HTTP/1.0PermanentYesGET / POST may change
302HTTP/1.0Temporarynot by defaultGET / POST may change
303HTTP/1.1Temporaryneveralways GET
307HTTP/1.1Temporarynot by defaultmay not change
308HTTP/1.1Permanentby defaultmay not change

All of these status codes require the URL of the redirect target to be given in the Location: header of the HTTP response. The 300 multiple choices will usually list all choices in the body of the message and show the default choice in the Location: header.

Example HTTP response for a 301 redirect[edit]

A HTTP response with the 301 "moved permanently" redirect looks like this:

HTTP/1.1301Moved PermanentlyLocation:<html><head><title>Moved</title></head><body> =Moved= <p>This page has moved to <ahref=""></a>.</p></body></html>


Web authors producing HTML content can't usually create redirects using HTTP headers as these are generated automatically by the web server program when serving an HTML file. The same is usually true even for programmers writing CGI scripts, though some servers allow scripts to add custom headers (e.g. by enabling "non-parsed-headers"). Many web servers will generate a 3xx status code if a script outputs a "Location:" header line. For example, in PHP, one can use the "header" function:

header('HTTP/1.1 301 Moved Permanently');header('Location:');exit();

More headers may be required to prevent caching.[7] The programmer must ensure that the headers are output before the body. This may not fit easily with the natural flow of control through the code. To help with this, some frameworks for server-side content generation can buffer the body data. In the ASP scripting language, this can also be accomplished using and HTTP/1.1 allows for either a relative URI reference or an absolute URI reference.[8] If the URI reference is relative the client computes the required absolute URI reference according to the rules defined in RFC 3986.[9]

Apache HTTP Server mod_rewrite[edit]

The Apache HTTP Server mod_alias extension can be used to redirect certain requests. Typical configuration directives look like:

Redirect permanent /oldpage.html Redirect301/oldpage.html

For more flexible URL rewriting and redirection, Apache mod_rewrite can be used. E.g., to redirect a requests to a canonical domain name:

RewriteEngineonRewriteCond %{HTTP_HOST} ^([^.:]+\.)*oldsite\.example\.com\.?(:[0-9]*)?$ [NC] RewriteRule ^(.*)$$1 [R=301,L]

Such configuration can be applied to one or all sites on the server through the server configuration files or to a single content directory through a file.

nginx rewrite[edit]

Nginx has an integrated http rewrite module,[10] which can be used to perform advanced URL processing and even web-page generation (with the directive). A showing example of such advanced use of the rewrite module is, which implements a deterministic URL shortening service entirely with the help of nginx configuration language alone.[11][12]

For example, if a request for were to come along, it would first be redirected internally to with the first rewrite directive below (only affecting the internal state, without any HTTP replies issued to the client just yet), and then with the second rewrite directive, an HTTP response with a 302 Found status code would be issued to the client to actually redirect to the external cgi script of web-man:[13]

location/DragonFly{rewrite^/DragonFly(BSD)?([,/].*)?$ /d$2last;}location/d{set$db"";set$ds"&section=";rewrite^/./([^/]+)\.([1-9])$ $db$1$ds$2redirect;}

Refresh Meta tag and HTTP refresh header[edit]

Netscape introduced the meta refresh feature which refreshes a page after a certain amount of time. This can specify a new URL to replace one page with another. This is supported by most web browsers.[14][15] A timeout of zero seconds effects an immediate redirect. This is treated like a 301 permanent redirect by Google, allowing transfer of PageRank to the target page.[16]

This is an example of a simple HTML document that uses this technique:

<html><head><metahttp-equiv="Refresh"content="0; url="/></head><body><p>Please follow <ahref="">this link</a>.</p></body></html>

This technique can be used by web authors because the meta tag is contained inside the document itself. The meta tag must be placed in the "head" section of the HTML file. The number "0" in this example may be replaced by another number to achieve a delay of that many seconds. The anchor in the "body" section is for users whose browsers do not support this feature.

The same effect can be achieved with an HTTP header:

HTTP/1.1200OKRefresh:0; url= Please follow <ahref="">this link</a>.

This response is easier to generate by CGI programs because one does not need to change the default status code.

Here is a simple CGI program that effects this redirect:

# !/usr/bin/perlprint"Refresh: 0; url=\r\n";print"Content-Type: text/html\r\n";print"\r\n";print"Please follow <a href=\"\">this link</a>!"

Note: Usually, the HTTP server adds the status line and the Content-Length header automatically.

The W3C discourage the use of meta refresh, since it does not communicate any information about either the original or new resource, to the browser (or search engine). The W3C's Web Content Accessibility Guidelines (7.4)[17] discourage the creation of auto-refreshing pages, since most web browsers do not allow the user to disable or control the refresh rate. Some articles that they have written on the issue include W3C Web Content Accessibility Guidelines (1.0): Ensure user control of time-sensitive content changes, Use standard redirects: don't break the back button![18] and Core Techniques for Web Content Accessibility Guidelines 1.0 section 7.[19]

JavaScript redirects[edit]

JavaScript can cause a redirect by setting the attribute, e.g.:


Normally JavaScript pushes the redirector site's URL to the browser's history. It can cause redirect loops when users hit the back button. With the following command you can prevent this type of behaviour.[20]


However, HTTP headers or the refresh meta tag may be preferred for security reasons and because JavaScript will not be executed by some browsers and many web crawlers.

Frame redirects[edit]

A slightly different effect can be achieved by creating an inline frame:

<iframeheight="100%"width="100%"src=""> Please follow <ahref="">link</a>. </iframe>

One main difference to the above redirect methods is that for a frame redirect, the browser displays the URL of the frame document and not the URL of the target page in the URL bar. This cloaking technique may be used so that the reader sees a more memorable URL or to fraudulently conceal a phishing site as part of website spoofing.[21]

Before HTML5,[22] the same effect could be done with an HTML frame that contains the target page:

<framesetrows="100%"><framesrc=""><noframes><body>Please follow <ahref="">link</a>.</body></noframes></frameset>

Redirect chains[edit]

One redirect may lead to another. For example, the URL "" (with "*.com" as domain) is first redirected to (with domain name in .org), where you can navigate to the language-specific site. This is unavoidable if the different links in the chain are served by different servers though it should be minimised by rewriting the URL as much as possible on the server before returning it to the browser as a redirect.

Wikipedia has been redirecting its pages to HTTPS by default since 2015.[23]

Redirect loops[edit]

Sometimes a mistake can cause a page to end up redirecting back to itself, possibly via other pages, leading to an infinite sequence of redirects. Browsers should stop redirecting after a certain number of hops and display an error message.

The HTTP/1.1 Standard states:[24]

A client SHOULD detect and intervene in cyclical redirections (i.e., "infinite" redirection loops).

Note: An earlier version of this specification recommended a maximum of five redirections ([RFC 2068], Section 10.3). Content developers need to be aware that some clients might implement such a fixed limitation.

Note that the URLs in the sequence might not repeat, e.g.:[permanent dead link] ->[permanent dead link] ->[permanent dead link] ...


There exist services that can perform URL redirection on demand, with no need for technical work or access to the web server your site is hosted on.

URL redirection services[edit]

A redirect service is an information management system, which provides an internet link that redirects users to the desired content. The typical benefit to the user is the use of a memorable domain name, and a reduction in the length of the URL or web address. A redirecting link can also be used as a permanent address for content that frequently changes hosts, similarly to the Domain Name System. Hyperlinks involving URL redirection services are frequently used in spam messages directed at blogs and wikis. Thus, one way to reduce spam is to reject all edits and comments containing hyperlinks to known URL redirection services; however, this will also remove legitimate edits and comments and may not be an effective method to reduce spam. Recently, URL redirection services have taken to using AJAX as an efficient, user friendly method for creating shortened URLs. A major drawback of some URL redirection services is the use of delay pages, or frame based advertising, to generate revenue.


The first redirect services took advantage of top-level domains (TLD) such as ".to" (Tonga), ".at" (Austria) and ".is" (Iceland). Their goal was to make memorable URLs. The first mainstream redirect service was that boasted 4 million users at its peak in 2000. success was attributed to having a wide variety of short memorable domains including "", "", "", "" and "". was acquired by, a large free web hosting company, in early 1999.[25] As the sales price of top level domains started falling from $70.00 per year to less than $10.00, use of redirection services declined. With the launch of TinyURL in 2002 a new kind of redirecting service was born, namely URL shortening. Their goal was to make long URLs short, to be able to post them on internet forums. Since 2006, with the 140 character limit on the extremely popular Twitter service, these short URL services have been heavily used.

Referrer masking[edit]

Redirection services can hide the referrer by placing an intermediate page between the page the link is on and its destination. Although these are conceptually similar to other URL redirection services, they serve a different purpose, and they rarely attempt to shorten or obfuscate the destination URL (as their only intended side-effect is to hide referrer information and provide a clear gateway between other websites.) This type of redirection is often used to prevent potentially-malicious links from gaining information using the referrer, for example a session ID in the query string. Many large community websites use link redirection on external links to lessen the chance of an exploit that could be used to steal account information, as well as make it clear when a user is leaving a service, to lessen the chance of effective phishing .

Here is a simplistic example of such a service, written in PHP.

<?php$url=htmlspecialchars($_GET['url']);header('Refresh: 0; url=https://'.$url);?><!-- Fallback using meta refresh. --><html><head><title>Redirecting...</title><metahttp-equiv="refresh"content="0;url=https://<?=$url;?>"></head><body> Attempting to redirect to <ahref="https://<?=$url;?>">https://<?=$url;?></a>. </body></html>

The above example does not check who called it (e.g. by referrer, although that could be spoofed). Also, it does not check the URL provided. This means that a malicious person could link to the redirection page using a URL parameter of his/her own selection, from any page, which uses the web server's resources.

Security issues[edit]

URL redirection can be abused by attackers for phishing attacks, such as open redirect and covert redirect. "An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation."[26] "Covert redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation."[27] It was disclosed in May 2014 by a mathematical doctoral student Wang Jing from Nanyang Technological University, Singapore.[28]

See also[edit]


  1. ^ ab"Google revives redirect snoopery". 29 January 2009. ISSN 1797-1993. Archived from the original on 17 August 2011.
  2. ^"Redirects & SEO - The Total Guide". Audisto. Retrieved 29 November 2015.
  3. ^"SEO advice: discussing 302 redirects". Matt Cutts, former Head of Google Webspam Team. 4 January 2006.
  4. ^"Sneaky Redirects". Google Inc. 3 December 2015.
  5. ^"Unvalidated Redirects and Forwards Cheat Sheet". Open Web Application Security Project (OWASP). 21 August 2014.
  6. ^"Redirects & SEO - The Complete Guide". Audisto. Retrieved 29 November 2015.
  7. ^"PHP Redirects: 302 to 301 Rock Solid Robust Solution". Archived from the original on 12 October 2012.
  8. ^Roy T. Fielding; Julian F. Reschke, eds. (2014). "Location". Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. IETF. p. 68. sec. 7.1.2. doi:10.17487/RFC7231. RFC7231.
  9. ^Berners-Lee, Tim; Fielding, Roy T.; Masinter, Larry (2005). "Reference Resolution". Uniform Resource Identifier (URI): Generic Syntax. IETF. p. 28. sec. 5. doi:10.17487/RFC3986. RFC3986.
  10. ^"Module ngx_http_rewrite_module - rewrite". Retrieved 24 December 2014.
  11. ^Murenin, Constantine A. (18 February 2013). "A dynamic web-site written wholly in nginx.conf? Introducing!". [email protected] (Mailing list). Retrieved 24 December 2014.
  12. ^Murenin, Constantine A. (23 February 2013). " – Short manual page URLs for FreeBSD, OpenBSD, NetBSD and DragonFly BSD". Retrieved 25 December 2014.
  13. ^Murenin, Constantine A. (23 February 2013). "". Retrieved 25 December 2014.
  14. ^"HTML meta tag".
  15. ^"An Exploration of Dynamic Documents". 2 August 2002. Archived from the original on 2 August 2002.CS1 maint: bot: original URL status unknown (link)
  16. ^"Google and Yahoo accept undelayed meta refreshs as 301 redirects". Sebastian's Pamphlets. 3 September 2007.
  17. ^"Web Content Accessibility Guidelines 1.0".
  18. ^Team, the QA. "Use standard redirects".
  19. ^"Core Techniques for Web Content Accessibility Guidelines 1.0".
  20. ^"Cross-browser client side URL redirect generator". Insider Zone.
  21. ^Aaron Emigh (19 January 2005). "Anti-Phishing Technology"Archived 27 September 2007 at the Wayback Machine (PDF). Radix Labs.
  22. ^"HTML 5.2: 11. Obsolete features".
  23. ^Wikipedia to start using secure HTTPS by default for all users VentureBeat article, 12 June 2015
  24. ^Roy T. Fielding; Julian F. Reschke, eds. (2014). "Redirection 3xx". Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. IETF. p. 54. sec. 6.4. doi:10.17487/RFC7231. RFC7231.
  25. ^"Net gains for tiny Pacific nation". BBC News. 14 September 2007. Archived from the original on 12 May 2014. Retrieved 27 May 2010.
  26. ^"Open Redirect". OWASP. 16 March 2014. Retrieved 21 December 2014.
  27. ^"Covert Redirect". Tetraph. 1 May 2014. Retrieved 21 December 2014.
  28. ^"Serious security flaw in OAuth, OpenID discovered". CNET. 2 May 2014. Retrieved 21 December 2014.

External links[edit]

ExpressJS with routes and redirect

PHP powers some of the most popular websites in the world, including WordPress websites. It’s a popular scripting language for website development because it’s fast, flexible, and easy to learn. PHP is primarily used to create dynamically generated web pages fast — although it can do much more.

For example, PHP can simplify certain tasks like setting up a redirect. Let’s take a closer look at what a PHP redirect is, then walk through how to set one up.

Download Now: Free Intro Guide to HTML & CSS

What is a PHP redirect?

A PHP redirect is a server-side solution to forwarding users and search engines from one URL to another using the header() function. Since its server-side — as opposed to an HTML redirect, which is client-side — a PHP redirect provides faster and more secure navigation from one page to another.

Now that we understand the benefit of a PHP redirect, let’s look at how to set one up.

How to Redirect in PHP

To redirect in PHP, you’ll first need to write your header() function, starting with header().

Then, within the parentheses, you’ll define the Location response-header field with the URL or file name you wish to redirect users and search engines to. Supported files include PHP, HTML, Python, CGI, Perl, or compiled CGI programs. So your header function might look something like this: header("Location:"); or header("Location: example.php/");

After the semicolon, you’ll have to add one last function: either the die() or exit() function. Without either of these functions, search engine crawlers or bots can ignore the header function and continue processing the page you wanted to redirect away from. Here’s how your header might look now: header("Location:"); exit;

Finally, you’ll wrap this function in <?php and ?> tags. The final result will look something like this:

PHP Redirect Header

There are some additional rules for using the header() function to set up a PHP redirect. First, where you place the header() function in your index.php file matters. Second, you can set HTTP status codes to control how the server redirects a user and search engine.

Let’s take a closer look at these rules below.

PHP Header Location

For the PHP redirect to work, the header() function must execute before any output is sent. That means, the code must be written above the <!DOCTYPE html> or <html> tags in your index.php file.

Otherwise, you'll likely get an error message that says "headers are already sent." Supposedly, the header function is so finicky that a single white space can prompt this error.

Here’s a look at the proper location:

Here's a look at an improper location:

HTTP Status Response Codes

HTTP status response codes let you know whether or not your HTTP request was successfully completed. There are different groups of response codes, including redirects. Since a redirect status code changes the way browsers and search engine bots handle redirects, it’s recommended that you set a status code when using header(Location:). Let’s take a look at the differences between the two most common redirect status codes below.

302 Code

If the status code is not specified in the header function, then it defaults to 302. 302 indicates a temporary redirection. Meaning, the requested URL resides temporarily under a different URI.

With a 302 redirect, browsers will typically cache the page for the session and no longer. Search engines will not typically transfer page rank to the new location either. That makes the 302 redirect ideal for performing site maintenance or other temporary use cases. 

Here’s an example of the header call with the 302 code specified:

This call not only sends the header back to the browser — it also returns a 302 redirect status code.

PHP 301 Redirect

If you would like to set the PHP redirect to be permanent instead of temporary, then you can use the status code 301. 301 indicates a permanent redirection so the browser will automatically redirect a user using the old URL to the new address of the page, and inform search engine bots that the page is no longer available and can be replaced with the new page. As a result, a 301 redirect is considered the most user and search engine-friendly 3xx code.

The other key differences between 302 and 201 redirects are that browsers will typically cache the page for longer than the session, possibly even indefinitely, and search engines typically transfer page rank to the new location. That makes 301 redirects ideal for redirecting duplicate content, migrating to a new domain, and more. 

Here’s an example of the header call with the 301 code specified:

PHP Redirect Without Header

If you have issues with the header function, you can still set up a PHP redirect with JavaScript. While the redirect might be slower using JavasScript, it will still be effective. 

Setting up the redirect with JavaScript is simple. You start with the window.location function. Then add an href attribute with the URL you want to redirect users and search engine bots to. Don't forget to add the appropriate attributes to ensure it opens in a new window. Finally, wrap it in <script></script> tags.

Here’s how the code will look using JavaScript:

There are a few problems with this method, however, in addition to it being slower. First and foremost, JavaScript needs to be enabled and downloaded on the client’s browser for this to work. There are also no status codes involved so you can’t include information about the redirect for search engines. For these reasons, using the header function is considered a best practice.

Setting Up Your PHP Redirects

PHP redirects can help users and search engines navigate smoothly and securely between pages on your site. The good news is setting up these redirects is easy thanks to the header() function.

New Call-to-action


Header html redirect

How to Easily Make HTML Redirect to Another Page

TL;DR – HTML redirect takes a website visitor to another site automatically.

What is an HTML Redirect?

A redirect happens when a user enters a URL, but it changes, and the browser takes them to a different one instead. Website creators rely on them when they need to change the structure of their site or the location of a particular page. Of course, you may redirect to a completely different website as well.

When working with Hypertext Transfer Protocol (HTTP), you need to have a basic understanding of its response codes. They contain three digits, first of which defines their type:

Response codeResponse type
1xxAn information response (e.g. Processing)
2xxA successful response (e.g. OK)
3xxA redirection response (e.g. Moved Permanently)
4xxA client-side error response (e.g. Not Found)
5xxA server-side error response (e.g. Bad Gateway)

Let’s say you closed your old website and opened a new one. If a user types a URL of the old one into their browser, it will return the response code 404 (Not Found). However, if you use an HTML redirect, the user will get either 301 (Moved Permanently) or 302 (Found). This code is invisible to the user, but the browser understands it and redirects the user to the new URL in moments.

The Syntax for HTML Redirect Code

The HTML redirect is also known as the meta refresh redirect, or simply HTML meta redirect. It allows you to choose whether you need an immediate or a delayed redirect. If you specify the delay time in seconds, the user will see the old page for exactly that long.

To make a page in HTML redirect to another page, you should follow this syntax:


As you can see, it requires two parameters:

  • represents the delay before the browser redirects the user to a different page. Define it in seconds, or enter a 0 if you need an immediate HTML redirect.
  • represents the URL address you need to redirect your user to after the delay.

In the example below, you can see the HTML redirect code that takes the user to BitDegree’s website with a delay of five seconds:


Just like all meta tags, the HTML redirect code should be placed in the <head> section of the document. This way, the browser receives certain instructions that stay invisible to the user.

Why Delay a Redirect in HTML?

If you’re not sure why you should delay your HTML meta redirect, think about a chance to set a message for the user. You could inform them the page has moved, and then promptly send them to the new one.

Another important reason is the slight chance of the tag not being rendered correctly. This might happen if the user is using some ancient browser. In this case, you may add a direct link to the old page which the user might click manually if the HTML redirect code fails.


Try it Live

As you can see, all you need to add a direct clickable link is a pair of anchor tags. Make sure to place it in the <body> section and not the <head> with the HTML meta redirect tag: there is no use for a clickable link that a user cannot see in the first place.

HTML Redirect: Useful Tips

  • If you don’t define a new URL address for the redirect, HTML page will simply reload itself after the time specified. It can be useful when you need to refresh dynamic content.
  • We’d advise you to avoid delays shorter than 3 seconds, as that makes it virtually impossible for the user to click the Back button on their browser.
  • Be careful not to overuse HTML meta redirects: if your website has a ton of them, the search engines may think it contains spam and remove it from their index.
  • You can also create redirects with PHP, JavaScript, Ruby on Rails, and Python Flask, as well as in the Apache, Nginx, and Lighttpd web servers.

Previous TopicNext Topic

Redirects in PHP with the Header Function

The barmaid, catching Timur's eye, went up to him. I would like your cocktail, energetic, he said. Lena looked understandingly at his hanging, without signs of life, member, and stretching out her hand, somewhere under the bar, took out a two-liter bottle, half full of milk-like. Liquid.

Now discussing:

I am going, said the thief with meaning, to rape you. Wait, Reich argued, it's not fair. We are not on an equal footing. Come on.

633 634 635 636 637