If a user types in a URI or clicks on a link that refers to the insecure variant, the browser will automatically redirect to the secure version in case the website is contained in the HSTS preload list shipped with the application or if the user had already visited the origin in the past.
A website operator may decide to serve such requests by redirecting the browser to the HTTPS variant instead and hopefully also priming HSTS for future accesses.
This technique is often used to "reserve" other top-level domains (TLD) with the same name, or make it easier for a ".edu" or ".net" site to accommodate users who type ".com".
As this added request will leave a trace in the server log, revealing exactly which link was followed, it can also be a privacy issue.
Web applications often include lengthy descriptive attributes in their URLs which represent data hierarchies, command structures, transaction paths and session information.
This practice results in a URL that is aesthetically unpleasant and difficult to remember, and which may not fit within the size limitations of microblogging sites.
The approach requires a rank for a range of search terms with a number of URLs that would utilize sneaky redirects to forward the searcher to the target page.
This method was usually combined with sneaky redirects to re-target the user stream from the search results to a target page.
[4] URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.
For example, a redirect might take a user to a site that would attempt to trick them into downloading antivirus software and installing a Trojan of some sort instead.
This field is populated with the URL of the current web page, and will end up in the logs of the server serving the external link.
This technique also eliminates other potentially sensitive information from the referrer URL, such as the session ID, and can reduce the chance of phishing by indicating to the end user that they passed a clear gateway to another site.
In the HTTP protocol used by the World Wide Web, a redirect is a response with a status code beginning with 3 that causes a browser to display a different page.
A HTTP response with the 301 "moved permanently" redirect looks like this: Web authors producing HTML content can't usually create redirects using HTTP headers as these are generated automatically by the web server program when serving an HTML file.
Nginx has an integrated http rewrite module,[10] which can be used to perform advanced URL processing and even web-page generation (with the return directive).
An example of such advanced use of the rewrite module is mdoc.su, which implements a deterministic URL shortening service entirely with the help of nginx configuration language alone.
[11][12] For example, if a request for /DragonFlyBSD/HAMMER.5 were to come along, it would first be redirected internally to /d/HAMMER.5 with the first rewrite directive below (only affecting the internal state, without any HTTP replies issued to the client just yet), and then with the second rewrite directive, an HTTP response with a 302 Found status code would be issued to the client to actually redirect to the external cgi script of web-man:[13] Netscape introduced the meta refresh feature which refreshes a page after a certain amount of time.
The same effect can be achieved with an HTTP refresh header: This response is easier to generate by CGI programs because one does not need to change the default status code.
Here is a simple CGI program that effects this redirect: Note: Usually, the HTTP server adds the status line and the Content-Length header automatically.
[20] However, HTTP headers or the refresh meta tag may be preferred for security reasons and because JavaScript will not be executed by some browsers and many web crawlers.
This cloaking technique may be used so that the reader sees a more memorable URL or to fraudulently conceal a phishing site as part of website spoofing.
There exist services that can perform URL redirection on demand, with no need for technical work or access to the web server your site is hosted on.
The typical benefit to the user is the use of a memorable domain name, and a reduction in the length of the URL or web address.
A redirecting link can also be used as a permanent address for content that frequently changes hosts, similarly to the Domain Name System.
Hyperlinks involving URL redirection services are frequently used in spam messages directed at blogs and wikis.
A major drawback of some URL redirection services is the use of delay pages, or frame based advertising, to generate revenue.
[25] As the sales price of top level domains started falling from $50.00 per year to less than $10.00, use of redirection services declined.
This type of redirection is often used to prevent potentially-malicious links from gaining information using the referrer, for example a session ID in the query string.
In June 2022, TechRadar found over 25 active examples of open redirect vulnerabilities on the web, including sites like Google and Instagram.
In 2021, Knittel et al. discovered a vulnerability in the Chrome's Performance API implementation which allowed them to reliably detect cross-origin redirects.