URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL domain are redirected to a different domain, as when wikipedia.com and wikipedia.net are automatically redirected to wikipedia.org.

URL redirection is done for various reasons:

  • for URL shortening;
  • to prevent broken links when web pages are moved;
  • to allow multiple domain names belonging to the same owner to refer to a single web site;
  • to guide navigation into and out of a website;
  • for privacy protection (such as redirecting YouTube and Twitter links to Invidious and Nitter respectively or to turn AMP links into normal links); and
  • for hostile purposes such as phishing attacks or malware distribution.

Purposes

There are several reasons to use URL redirection:

Forcing HTTPS

A website may potentially be accessible over both a secure HTTPS URI scheme and plain HTTP (an insecure URI beginning with "http://").

If a user types in a URI or clicks on a link that refers to the insecure variant, the browser will automatically redirect to the secure version in case the website is contained in the HSTS preload list shipped with the application or if the user had already visited the origin in the past.

Otherwise the website will be contacted over HTTP. A website operator may decide to serve such requests by redirecting the browser to the HTTPS variant instead and hopefully also priming HSTS for future accesses.

Similar domain names

<!-- Do NOT give any examples of misspelled domain names. "examlpe.com" currently leads to a site that tries to load malware on your computer. -->

A user might mistype a URL. Organizations often register these misspelled domains and redirect them to the intended location. This technique is often used to "reserve" other top-level domains (TLD) with the same name, or make it easier for a ".edu" or ".net" site to accommodate users who type ".com".

Moving pages to a new domain

Web pages may be redirected to a new domain for three reasons:

  • a site might desire, or need, to change its domain name;
  • an author might move their individual pages to a new domain;
  • two web sites might merge.

With URL redirects, incoming links to an outdated URL can be sent to the correct location. These links might be from other sites that have not realized that there is a change or from bookmarks/favorites that users have saved in their browsers. The same applies to search engines. They often have the older/outdated domain names and links in their database and will send search users to these old URLs. By using a "moved permanently" redirect to the new URL, visitors will still end up at the correct page. Also, in the next search engine pass, the search engine should detect and use the newer URL.

The access logs of most web servers keep detailed information about where visitors came from and how they browsed the hosted site. They do not, however, log which links visitors left by. This is because the visitor's browser has no need to communicate with the original server when the visitor clicks on an outgoing link. This information can be captured in several ways. One way involves URL redirection. Instead of sending the visitor straight to the other site, links on the site can direct to a URL on the original website's domain that automatically redirects to the real target. This technique bears the downside of the delay caused by the additional request to the original website's server. As this added request will leave a trace in the server log, revealing exactly which link was followed, it can also be a privacy issue. For example, the URL "https://wikipedia.com" (with "*.com" as domain) is first redirected to https://www.wikipedia.org/ (with domain name in .org), where you can navigate to the language-specific site. This is unavoidable if the different links in the chain are served by different servers though it should be minimised by rewriting the URL as much as possible on the server before returning it to the browser as a redirect.

Redirect loops

Sometimes a mistake can cause a page to end up redirecting back to itself, possibly via other pages, leading to an infinite sequence of redirects. Browsers should stop redirecting after a certain number of hops and display an error message.

The HTTP/1.1 Standard states: Open redirects have their own CWE identifier, CWE-601.

URL redirection also provides a mechanism to perform cross-site leak attacks. By timing how long a website took to return a particular page or by differentiating one destination page from another, an attacker can gain significant information about another website's state. In 2021, Knittel et al. discovered a vulnerability in the Chrome's Performance API implementation which allowed them to reliably detect cross-origin redirects.

See also

<!---♦♦♦ Please keep the list in alphabetical order ♦♦♦--->

  • Canonical link element
  • Clean URL
  • Domain masking
  • HTTP location
  • Link rot
  • URI normalization

References

</references>

  • Mapping URLs to Filesystem Locations - Apache HTTP Server Version 2.4
  • Taxonomy of JavaScript Redirection Spam (Microsoft Live Labs)
  • Security vulnerabilities in URL Redirectors The Web Application Security Consortium Threat Classification