HOME

TheInfoList



OR:

URL redirection, also called URL forwarding, is a
World Wide Web The World Wide Web (WWW), commonly known as the Web, is an information system enabling documents and other web resources to be accessed over the Internet. Documents and downloadable media are made available to the network through web se ...
technique for making a web page available under more than one URL address. When a
web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL
domain Domain may refer to: Mathematics *Domain of a function, the set of input values for which the (total) function is defined **Domain of definition of a partial function **Natural domain of a partial function **Domain of holomorphy of a function * Do ...
are redirected to a different domain, as whe
wikipedia.com
an
wikipedia.net
are automatically redirected t
wikipedia.org
URL redirection is done for various reasons: * for
URL shortening URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter and still direct to the required page. This is achieved by using a redirect which links to the web page that has ...
; * to prevent broken links when web pages are moved; * to allow multiple domain names belonging to the same owner to refer to a single
web site A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and Wikip ...
; * to guide navigation into and out of a website; * for privacy protection; and * for hostile purposes such as
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
attacks or malware distribution.


Purposes

There are several reasons to use URL redirection:


Forcing HTTPS

A website may potentially be accessible over both a secure
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
URI scheme and plain HTTP (an insecure URI beginning with "http://"). If a user types in a URI or clicks on a link that refers to the insecure variant, the browser will automatically redirect to the secure version in case the website is contained in the HSTS preload list shipped with the application or if the user had already visited the origin in the past. Otherwise the website will be contacted over HTTP. A website operator may decide to serve such requests by redirecting the browser to the HTTPS variant instead and hopefully also priming HSTS for future accesses.


Similar domain names

A user might mistype a URL. Organizations often register these "misspelled" domains and redirect them to the "correct" location. This technique is often used to "reserve" other
top-level domain A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in ...
s (TLD) with the same name, or make it easier for a ".edu" or ".net" site to accommodate users who type ".com".


Moving pages to a new domain

Web pages may be redirected to a new domain for three reasons: * a site might desire, or need, to change its domain name; * an author might move their individual pages to a new domain; * two web sites might merge. With URL redirects, incoming links to an outdated URL can be sent to the correct location. These links might be from other sites that have not realized that there is a change or from bookmarks/favorites that users have saved in their browsers. The same applies to
search engine A search engine is a software system designed to carry out web searches. They search the World Wide Web in a systematic way for particular information specified in a textual web search query. The search results are generally presented in a ...
s. They often have the older/outdated domain names and links in their database and will send search users to these old URLs. By using a "moved permanently" redirect to the new URL, visitors will still end up at the correct page. Also, in the next search engine pass, the search engine should detect and use the newer URL.


Logging outgoing links

The access logs of most web servers keep detailed information about where visitors came from and how they browsed the hosted site. They do not, however, log which links visitors left by. This is because the visitor's browser has no need to communicate with the original server when the visitor clicks on an outgoing link. This information can be captured in several ways. One way involves URL redirection. Instead of sending the visitor straight to the other site, links on the site can direct to a URL on the original website's domain that automatically redirects to the real target. This technique bears the downside of the delay caused by the additional request to the original website's server. As this added request will leave a trace in the server log, revealing exactly which link was followed, it can also be a privacy issue. The same technique is also used by some corporate websites to implement a statement that the subsequent content is at another site, and therefore not necessarily affiliated with the corporation. In such scenarios, displaying the warning causes an additional delay.


Short aliases for long URLs

Web applications often include lengthy descriptive attributes in their URLs which represent data hierarchies, command structures, transaction paths and session information. This practice results in a URL that is aesthetically unpleasant and difficult to remember, and which may not fit within the size limitations of
microblogging Microblogging is a form of social network that permits only short posts. They "allow users to exchange small elements of content such as short sentences, individual images, or video links",. Retrieved June 5, 2014 which may be the major reason for ...
sites.
URL shortening URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter and still direct to the required page. This is achieved by using a redirect which links to the web page that has ...
services provide a solution to this problem by redirecting a user to a longer URL from a shorter one.


Meaningful, persistent aliases for long or changing URLs

Sometimes the URL of a page changes even though the content stays the same. Therefore, URL redirection can help users who have bookmarks. This is routinely done on Wikipedia whenever a page is renamed.


Post/Redirect/Get

Post/Redirect/Get (PRG) is a
web development Web development is the work involved in developing a website for the Internet (World Wide Web) or an intranet (a private network). Web development can range from developing a simple single static page of plain text to complex web applications ...
design pattern A design pattern is the re-usable form of a solution to a design problem. The idea was introduced by the architect Christopher Alexander and has been adapted for various other disciplines, particularly software engineering. The " Gang of Four" b ...
that prevents some duplicate
form Form is the shape, visual appearance, or configuration of an object. In a wider sense, the form is the way something happens. Form also refers to: *Form (document), a document (printed or electronic) with spaces in which to write or enter data ...
submissions if the user clicks the refresh button after submitting the form, creating a more intuitive interface for user agents (users).


Device targeting and geotargeting

Redirects can be effectively used for targeting purposes like
geotargeting In geomarketing and internet marketing, geotargeting is the method of delivering different content to visitors based on their geolocation. This includes country, region/state, city, metro code/ zip code, organization, IP address, ISP, or other cri ...
. Device targeting has become increasingly important with the rise of mobile clients. There are two approaches to serve mobile users: Make the website responsive or redirect to a mobile website version. If a mobile website version is offered, users with mobile clients will be automatically forwarded to the corresponding mobile content. For device targeting, client-side redirects or non-cacheable server-side redirects are used. Geotargeting is the approach to offer localized content and automatically forward the user to a localized version of the requested URL. This is helpful for websites that target audience in more than one location and/or language. Usually server-side redirects are used for Geotargeting but client-side redirects might be an option as well, depending on requirements.


Manipulating search engines

Redirects have been used to manipulate search engines with unethical intentions, e.g., URL hijacking. The goal of misleading redirects is to drive search traffic to landing pages, which do not have enough ranking power on their own or which are only remotely or not at all related to the search target. The approach requires a rank for a range of search terms with a number of URLs that would utilize sneaky redirects to forward the searcher to the target page. This method had a revival with the uprise of mobile devices and device targeting. URL hijacking is an off-domain redirect technique that exploited the nature of the search engine's handling for temporary redirects. If a temporary redirect is encountered, search engines have to decide whether they assign the ranking value to the URL that initializes the redirect or to the redirect target URL. The URL that initiates the redirect may be kept to show up in search results, as the redirect indicates a temporary nature. Under certain circumstances it was possible to exploit this behavior by applying temporary redirects to well-ranking URLs, leading to a replacement of the original URL in search results by the URL that initialized the redirect, therefore "stealing" the ranking. This method was usually combined with sneaky redirects to re-target the user stream from the search results to a target page. Search engines have developed efficient technologies to detect these kinds of manipulative approaches. Major search engines usually apply harsh ranking penalties on sites that get caught applying techniques like these.


Manipulating visitors

URL redirection is sometimes used as a part of
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
attacks that confuse visitors about which web site they are visiting. Because modern browsers always show the real URL in the address bar, the threat is lessened. However, redirects can also take you to sites that will otherwise attempt to attack in other ways. For example, a redirect might take a user to a site that would attempt to trick them into downloading antivirus software and installing a
Trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...
of some sort instead.


Removing referrer information

When a link is clicked, the browser sends along in the
HTTP request The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, w ...
a field called
referer In HTTP, "" (a misspelling of Referrer) is an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI), from which the resource has been requested. By checking the referrer, the server providing the new web ...
which indicates the source of the link. This field is populated with the URL of the current web page, and will end up in the logs of the server serving the external link. Since sensitive pages may have sensitive URLs (for example, https://company.com/plans-for-the-next-release-of-our-product), it is not desirable for the referrer URL to leave the organization. A redirection page that performs referrer hiding could be embedded in all external URLs, transforming for example https://externalsite.com/page into https://redirect.company.com/https://externalsite.com/page. This technique also eliminates other potentially sensitive information from the referrer URL, such as the
session ID In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary ...
, and can reduce the chance of
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
by indicating to the end user that they passed a clear gateway to another site.


Implementation

Several different kinds of response to the browser will result in a redirection. These vary in whether they affect
HTTP headers The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, w ...
or HTML content. The techniques used typically depend on the role of the person implementing it and their access to different parts of the system. For example, a web author with no control over the headers might use a Refresh meta tag whereas a web server administrator redirecting all pages on a site is more likely to use server configuration.


Manual redirect

The simplest technique is to ask the visitor to follow a link to the new page, usually using an HTML anchor like: Please follow this link. This method is often used as a fall-back — if the browser does not support the automatic redirect, the visitor can still reach the target document by following the link.


HTTP status codes 3xx

In the
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technolog ...
used by the
World Wide Web The World Wide Web (WWW), commonly known as the Web, is an information system enabling documents and other web resources to be accessed over the Internet. Documents and downloadable media are made available to the network through web se ...
, a redirect is a response with a status code beginning with ''3'' that causes a browser to display a different page. If a client encounters a redirect, it needs to make a number of decisions how to handle the redirect. Different status codes are used by clients to understand the purpose of the redirect, how to handle caching and which request method to use for the subsequent request. HTTP/1.1 defines several status codes for redirection (RFC 7231): * 300 multiple choices (e.g. offer different languages) * 301 moved permanently (redirects permanently from one URL to another passing link equity to the redirected page) * 302 found (originally "temporary redirect" in HTTP/1.0 and popularly used for CGI scripts; superseded by 303 and 307 in HTTP/1.1 but preserved for backward compatibility) * 303 see other (forces a GET request to the new URL even if original request was POST) * 305 use proxy (indicates that the client's requested resource is only available through a proxy) * 307 temporary redirect (provides a new URL for the browser to resubmit a GET or POST request) * 308 permanent redirect (provides a new URL for the browser to resubmit a GET or POST request) Status codes 304 not modified and 305 use proxy are not redirects. All of these status codes require the URL of the redirect target to be given in the Location: header of the HTTP response. The 300 multiple choices will usually list all choices in the body of the message and show the default choice in the Location: header.


Example HTTP response for a 301 redirect

A
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
response with the 301 "moved permanently" redirect looks like this: HTTP/1.1 301 Moved Permanently Location: https://www.example.org/ Content-Type: text/html Content-Length: 174 Moved =Moved=

This page has moved to https://www.example.org/.


Using server-side scripting for redirection

Web authors producing HTML content can't usually create redirects using HTTP headers as these are generated automatically by the web server program when serving an HTML file. The same is usually true even for programmers writing CGI scripts, though some servers allow scripts to add custom headers (e.g. by enabling "non-parsed-headers"). Many web servers will generate a 3xx status code if a script outputs a "Location:" header line. For example, in
PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group. ...
, one can use the "header" function: header('HTTP/1.1 301 Moved Permanently'); header('Location: https://www.example.com/'); exit(); More headers may be required to prevent caching. The programmer must ensure that the headers are output before the body. This may not fit easily with the natural flow of control through the code. To help with this, some frameworks for server-side content generation can buffer the body data. In the ASP scripting language, this can also be accomplished using response.buffer=true and response.redirect "https://www.example.com/" HTTP/1.1 allows for either a relative URI reference or an absolute URI reference. If the URI reference is relative the client computes the required absolute URI reference according to the rules defined in RFC 3986.


Apache HTTP Server mod_rewrite

The
Apache HTTP Server The Apache HTTP Server ( ) is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache So ...
mod_alias extension can be used to redirect certain requests. Typical configuration directives look like: Redirect permanent /oldpage.html https://www.example.com/newpage.html Redirect 301 /oldpage.html https://www.example.com/newpage.html For more flexible
URL rewriting In web applications, a rewrite engine is a software component that performs rewriting on URLs (Uniform Resource Locators), modifying their appearance. This modification is called URL rewriting. It is a way of implementing URL mapping or routing ...
and redirection, Apache mod_rewrite can be used. E.g., to redirect a requests to a canonical domain name: RewriteEngine on RewriteCond % ^( .:\.)*oldsite\.example\.com\.?(: -9)?$ CRewriteRule ^(.*)$ https://newsite.example.net/$1 =301,L Such configuration can be applied to one or all sites on the server through the server configuration files or to a single content directory through a .htaccess file.


nginx rewrite

Nginx Nginx (pronounced "engine x" ) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software ...
has an integrated http rewrite module, which can be used to perform advanced URL processing and even web-page generation (with the return directive). A showing example of such advanced use of the rewrite module i
mdoc.su
, which implements a deterministic
URL shortening URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter and still direct to the required page. This is achieved by using a redirect which links to the web page that has ...
service entirely with the help of nginx configuration language alone. For example, if a request for /DragonFlyBSD/HAMMER.5
/code> were to come along, it would first be redirected internally to /d/HAMMER.5 with the first rewrite directive below (only affecting the internal state, without any HTTP replies issued to the client just yet), and then with the second rewrite directive, an HTTP response with a 302 Found status code would be issued to the client to actually redirect to the external cgi script of web-
man A man is an adult male human. Prior to adulthood, a male human is referred to as a boy (a male child or adolescent). Like most other male mammals, a man's genome usually inherits an X chromosome from the mother and a Y chromo ...
: location /DragonFly location /d


Refresh Meta tag and HTTP refresh header

Netscape Netscape Communications Corporation (originally Mosaic Communications Corporation) was an American independent computer services company with headquarters in Mountain View, California and then Dulles, Virginia. Its Netscape web browser was onc ...
introduced the
meta refresh Meta refresh is a method of instructing a web browser to automatically refresh the current web page or frame after a given time interval, using an HTML meta element with the http-equiv parameter set to "refresh" and a content parameter giving the ...
feature which refreshes a page after a certain amount of time. This can specify a new URL to replace one page with another. This is supported by most web browsers. A timeout of zero seconds effects an immediate redirect. This is treated like a 301 permanent redirect by Google, allowing transfer of PageRank to the target page. This is an example of a simple HTML document that uses this technique:

Please follow this link.

This technique can be used by web authors because the meta tag is contained inside the document itself. The meta tag must be placed in the "head" section of the HTML file. The number "0" in this example may be replaced by another number to achieve a delay of that many seconds. The anchor in the "body" section is for users whose browsers do not support this feature. The same effect can be achieved with an HTTP refresh header: HTTP/1.1 200 OK Refresh: 0; url=https://www.example.com/ Content-Type: text/html Content-Length: 78 Please follow this link. This response is easier to generate by CGI programs because one does not need to change the default status code. Here is a simple CGI program that effects this redirect: # !/usr/bin/perl print "Refresh: 0; url=https://www.example.com/\r\n"; print "Content-Type: text/html\r\n"; print "\r\n"; print "Please follow this link!" Note: Usually, the HTTP server adds the status line and the Content-Length header automatically. The
W3C The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...
discourage the use of meta refresh, since it does not communicate any information about either the original or new resource, to the browser (or
search engine A search engine is a software system designed to carry out web searches. They search the World Wide Web in a systematic way for particular information specified in a textual web search query. The search results are generally presented in a ...
). The W3C's Web Content Accessibility Guidelines (7.4) discourage the creation of auto-refreshing pages, since most web browsers do not allow the user to disable or control the refresh rate. Some articles that they have written on the issue includ
W3C Web Content Accessibility Guidelines (1.0): Ensure user control of time-sensitive content changes
Use standard redirects: don't break the back button! and Core Techniques for Web Content Accessibility Guidelines 1.0 section 7.


JavaScript redirects

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...
can cause a redirect by setting the window.location attribute, e.g.: window.location='https://www.example.com/' Normally JavaScript pushes the redirector site's URL to the browser's history. It can cause redirect loops when users hit the back button. With the following command you can prevent this type of behaviour. window.location.replace('https://www.example.com/') However, HTTP headers or the refresh meta tag may be preferred for security reasons and because JavaScript will not be executed by some browsers and many
web crawler A Web crawler, sometimes called a spider or spiderbot and often shortened to crawler, is an Internet bot that systematically browses the World Wide Web and that is typically operated by search engines for the purpose of Web indexing (''web spid ...
s.


Frame redirects

A slightly different effect can be achieved by creating an inline
frame A frame is often a structural system that supports other components of a physical construction and/or steel frame that limits the construction's extent. Frame and FRAME may also refer to: Physical objects In building construction *Framing (con ...
: One main difference to the above redirect methods is that for a frame redirect, the browser displays the URL of the frame document and not the URL of the target page in the URL bar. This ''cloaking'' technique may be used so that the reader sees a more memorable URL or to fraudulently conceal a
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
site as part of
website spoofing Website spoofing is the act of creating a website with the intention of misleading readers that the website has been created by a different person or organization. Normally, the spoof website will adopt the design of the target website, and it som ...
. Before HTML5, the same effect could be done with an
HTML frame In the context of a web browser, a frame is a part of a web page or browser window which displays content independent of its container, with the ability to load content independently. The HTML or media elements shown in a frame may come from a ...
that contains the target page: <body>Please follow <a href="https://www.example.com/">link</a>.</body>


Redirect chains

One redirect may lead to another. For example, the URL "https://wikipedia.com" (with "*.com" as domain) is first redirected to https://www.wikipedia.org/ (with domain name in
.org The domain name .org is a generic top-level domain (gTLD) of the Domain Name System (DNS) used on the Internet. The name is truncated from ''organization''. It was one of the original domains established in 1985, and has been operated by th ...
), where you can navigate to th
language-specific site
This is unavoidable if the different links in the chain are served by different servers though it should be minimised by ''
rewriting In mathematics, computer science, and logic, rewriting covers a wide range of methods of replacing subterms of a well-formed formula, formula with other terms. Such methods may be achieved by rewriting systems (also known as rewrite systems, rewr ...
'' the URL as much as possible on the server before returning it to the browser as a redirect.


Redirect loops

Sometimes a mistake can cause a page to end up redirecting back to itself, possibly via other pages, leading to an infinite sequence of redirects. Browsers should stop redirecting after a certain number of hops and display an error message. The HTTP/1.1 Standard states:
A client ''SHOULD'' detect and intervene in cyclical redirections (i.e., "infinite" redirection loops). Note: An earlier version of this specification recommended a maximum of five redirections ( FC 2068 Section 10.3). Content developers need to be aware that some clients might implement such a fixed limitation.
Note that the URLs in the sequence might not repeat, e.g.: → → ...


Services

There exist services that can perform URL redirection on demand, with no need for technical work or access to the web server your site is hosted on.


URL redirection services

A redirect service is an information management system, which provides an internet link that redirects users to the desired content. The typical benefit to the user is the use of a memorable domain name, and a reduction in the length of the URL or web address. A redirecting link can also be used as a permanent address for content that frequently changes hosts, similarly to the
Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned t ...
. Hyperlinks involving URL redirection services are frequently used in spam messages directed at blogs and wikis. Thus, one way to reduce spam is to reject all edits and comments containing hyperlinks to known URL redirection services; however, this will also remove legitimate edits and comments and may not be an effective method to reduce spam. Recently, URL redirection services have taken to using
AJAX Ajax may refer to: Greek mythology and tragedy * Ajax the Great, a Greek mythological hero, son of King Telamon and Periboea * Ajax the Lesser, a Greek mythological hero, son of Oileus, the king of Locris * ''Ajax'' (play), by the ancient Gree ...
as an efficient, user friendly method for creating shortened URLs. A major drawback of some URL redirection services is the use of delay pages, or frame based advertising, to generate revenue.


History

The first redirect services took advantage of
top-level domains A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in ...
(TLD) such as "
.to .to is the Internet country code top-level domain ( ccTLD) of the island kingdom of Tonga. The government of Tonga sells domains in its ccTLD to any interested party. The .to ccTLD is administered by the Tonga Network Information Center (Tonic). ...
" (Tonga), "
.at .at is the Internet country code top-level domain (ccTLD) for Austria. It is administered by nic.at. Second-level domains The .at top-level domain has a number of second-level domains: * .ac.at (reserved for academic institutions, especially u ...
" (Austria) and "
.is .is (dot is) is the top-level domain for Iceland. The country code is derived from the first two letters of '' Ísland'', which is the Icelandic word for Iceland. Registration of .is domains is open to all people and companies without any specia ...
" (Iceland). Their goal was to make memorable URLs. The first mainstream redirect service was V3.com that boasted 4 million users at its peak in 2000. V3.com success was attributed to having a wide variety of short memorable domains including "r.im", "go.to", "i.am", "come.to" and "start.at". V3.com was acquired by FortuneCity.com, a large free web hosting company, in early 1999. As the sales price of top level domains started falling from per year to less than , use of redirection services declined. With the launch of
TinyURL TinyURL is a URL shortening web service, which provides short aliases for redirection of long URLs. Kevin Gilbertson, a web developer, launched the service in January 2002 as a way to post links in newsgroup postings which frequently had long, ...
in 2002 a new kind of redirecting service was born, namely
URL shortening URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter and still direct to the required page. This is achieved by using a redirect which links to the web page that has ...
. Their goal was to make long URLs short, to be able to post them on internet forums. Since 2006, with the 140 character limit on the extremely popular
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
service, these short URL services have been heavily used.


Referrer masking

Redirection services can hide the
referrer In HTTP, "" (a misspelling of Referrer) is an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI), from which the resource has been requested. By checking the referrer, the server providing the new web ...
by placing an intermediate page between the page the link is on and its destination. Although these are conceptually similar to other URL redirection services, they serve a different purpose, and they rarely attempt to shorten or obfuscate the destination URL (as their only intended side-effect is to hide referrer information and provide a clear gateway between other websites.) This type of redirection is often used to prevent potentially-malicious links from gaining information using the referrer, for example a
session ID In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary ...
in the query string. Many large community websites use link redirection on external links to lessen the chance of an exploit that could be used to steal account information, as well as make it clear when a user is leaving a service, to lessen the chance of effective
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
. Here is a simplistic example of such a service, written in
PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group. ...
. url'; header('Refresh: 0; url=https://' . $url); ?> Redirecting... Attempting to redirect to https://. The above example does not check who called it (e.g. by referrer, although that could be spoofed). Also, it does not check the URL provided. This means that a malicious person could link to the redirection page using a URL parameter of his/her own selection, from any page, which uses the web server's resources.


Security issues

URL redirection can be abused by attackers for
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
attacks, such as open redirect and
covert redirect Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
. "An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation." "Covert redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation." It was disclosed in May 2014 by a mathematical doctoral student Wang Jing from Nanyang Technological University, Singapore.


See also

*
HTTP location The HTTP Location header field is returned in responses from an HTTP server under two circumstances: #To ask a web browser to load a different web page (URL redirection). In this circumstance, the Location header should be sent with an HTTP statu ...
*
Canonical link element A canonical link element is an HTML element that helps webmasters prevent duplicate content issues in search engine optimization by specifying the "canonical" or "preferred" version of a web page. It is described in RFC 6596, which went live in Apr ...
* Canonical meta tag * Domain masking *
Link rot Link rot (also called link death, link breaking, or reference rot) is the phenomenon of hyperlinks tending over time to cease to point to their originally targeted file, web page, or server due to that resource being relocated to a new address ...
*
Semantic URL Clean URLs, also sometimes referred to as RESTful URLs, user-friendly URLs, pretty URLs or search engine-friendly URLs, are URLs intended to improve the usability and accessibility of a website or web service by being immediately and intuitively ...
*
URL normalization URI normalization is the process by which URIs are modified and standardized in a consistent manner. The goal of the normalization process is to transform a URI into a normalized URI so it is possible to determine if two syntactically differen ...


References


External links


Mapping URLs to Filesystem Locations - Apache HTTP Server Version 2.4

Taxonomy of JavaScript Redirection Spam
(Microsoft Live Labs)
Security vulnerabilities in URL Redirectors
The Web Application Security Consortium Threat Classification {{DEFAULTSORT:Url Redirection URL Black hat search engine optimization Internet search Internet terminology