URL redirection , also called URL forwarding , is a World Wide Web technique for making a web page available under one URL . When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain forwarding or domain forwarding is When All pages in a URL domain are Redirected to a different domain, you When wikipedia.com and wikipedia.net are automatically Redirected to wikipedia.org . URL redirection is done for different reasons: for URL shortening ; to prevent broken linkswhen web pages are moved; to allow multiple domain names belonging to the same owner to refer to a single web site ; to guide navigation into and out of a website; for privacy protection; and for hostile purposes such as phishing attacks or malware distribution.

Purposes

There are several reasons to use URL redirection:

Similar domain names

A user might mistype a URL, for example, “example.com” and “exmaple.com”. Organizations often register these “misspelled” domains and redirect them to the “correct” location: example.com. The addresses example.com and example.net could be a single domain, or web page, such as example.org. This technique is often used to “reserve” other top-level domains (TLD) with the same name, or to make it easier for you to have “.edu” or “.net” to redirect to a more recognizable “.com” domain.

Moving pages to a new domain

Web pages can be redirected to a new domain for three reasons:

  • a site might desire, or need, to change its domain name;
  • an author might move his or her individual pages to a new domain;
  • two web sites might merge.

With url redirects, url links to an outdated URL can be sent to the correct location. These links may be of other sites that have not been made to save money or to save money in their browsers. The same applies to search engines . They often have the older and outdated search engines to their old URLs. By using a “moved permanently” redirect to the new URL, visitors will still be up to the correct page. Also, in the search engine, the search engine should detect the newer URL.

Logging outgoing links

The access logs of the web servers keep detailed information about where they come from. They do not, however, notice which links visitors left by. This is because the visitor’s browser has no need to communicate with the original server when the visitor clicks on an outgoing link. This information can be captured in several ways. One way involves URL redirection. Instead of sending the visitor directly to the site, links to the site can be accessed directly from the website. This technique bears the downside of the delay caused by the additional request to the original website’s server. As this added request will leave a trace in the log server, revealing exactly which link was followed, it can also be a privacy issue.[1] The same technique is also used by some corporate websites to implement a statement that is subsequent to another site, and therefore not necessarily affiliated with the corporation. In such scenarios, displaying the warning causes an additional delay.

Short aliases for long URLs

Main article: Shortening URL

Web applications often include lengthy descriptive attributes in their URLs which represent data hierarchies, command structures, transaction paths, and session information. This practice results in a URL that is aesthetically unpleasant and difficult to remember, and which may not fit within the limitations of microblogging sites. URL shortening services provide a solution to this problem by redirecting a user URL from a shorter one.

Meaningful, persistent aliases for long or changing URLs

See also: Permalink , PURL , and Link rot

Sometimes the URL of a page changes even though the content stays the same. Therefore, URL redirection can help users who have bookmarks. This is routinely done on Wikipedia whenever a page is renamed.

Post / Redirect / Get

Main article: Post / Redirect / Get

Post / Redirect / Get (PRG) is a web development design that prevents some duplicate form submissions, creating a more intuitive interface for user agents (users).

Device targeting and geotargeting

Redirects can be effectively used for targeting purposes like device targeting or geotargeting . Device targeting has become increasingly important with the rise of mobile customers. There are two approaches to serve mobile users: Make the website responsiveor redirect to a mobile website version. If a mobile website version is offered, users with mobile customers will be automatically forwarded to the corresponding mobile content. For device targeting, client side redirects or non-cacheable server Geotargeting is the approach to offering a localized version of the requested URL. This is useful for websites that target audience in more than one location and / or language. Geotargeting goal sidebar may be an option as well, depending on requirements. [2]

Manipulating search engines

Redirects have been used to manipulate search engines with unethical intentions, eg sneaky redirects or URL hijacking . The goal of misleading advertising is to drive search traffic to landing pages, which do not have enough ranking power on their own or that they are only remotely or not at all related to the search target. The approach requires a number of URLs that would use sneaky redirects to the searcher to the target page. This method had a revival with the concept of mobile devices and device targeting. URL hijacking is an off-domain redirect technique [3]that exploited the nature of the search engines’ handling for temporary redirects. If a temporary redirect is encountered, search engines have to decide whether they will assign the ranking value to the URL that initializes the redirect or to the redirect target URL. The URL that initiates the redirect can be kept to show up in search results, as the redirect indicates a temporary nature. Under the circumstances, it was possible to exploit this behavior by: This method was created with the help of a user. Search engines have developed efficient technologies to detect these types of manipulative approaches. Major search engines usually apply harsh ranking penalties on sites that get caught applying techniques like these.[4]

Manipulating visitors

URL redirection is sometimes used as a part of phishing attacks. [5] Because modern browsers always show the real URL in the address bar, the threat is lessened. However, it can also take you to the point of view of other places. For example, a redirect might take a user to a site that would attempt to trick them into downloading antivirus software and, ironically, installing a trojan of some sort instead.

Removing refererinformation

When a link is clicked, the browser sends along the HTTP request a field called referer which indicates the source of the link. This field is populated with the URL of the current web page, and will end up in the logs of the server serving the external link. Since sensitive pages may have sensitive URLs (for example, http://company.com/plans-for-the-next-release-of-our-product), it is not desirable for the refererURL to leave the organization. A redirection page that performs referrer hiding could be embedded in all external URLs, transforming for example http://externalsite.com/pageinto http://redirect.company.com/http://externalsite.com/page. This technique also eliminates other potentially sensitive information from the referer URL, such as the session ID , and can reduce the chance ofphishingby indicating to the end user that they passed a clear gateway to another site.

Implementation

Several different types of response to the browser will result in a redirect. These vary in whether they affect HTTP headers or HTML content. The techniques used typically depend on the implementation of the system. For example, a web author with no control over the headers could use a Refresh meta tag for a web server administrator redirecting all pages on a site is more likely to use server configuration.

Manual redirect

The simplest technique is usually used to an HTML anchor like:

Please follow < a href = "http://www.example.com/" > this link </ a > .

This method is often used as a back-up – if the browser does not support the automatic redirect, the audience can still reach the target document by following the link.

HTTP status codes 3xx

In the HTTP protocol used by the World Wide Web , a redirect is a response to a status code beginning with 3 that causes a browser to display a different page. If a customer encounters a redirect, it needs to make a number of decisions how to handle the redirect. Different status codes are used by clients to understand the purpose of the redirect,

HTTP / 1.1 defines several status codes for redirection ( RFC 7231 ):

  • 300 multiple choices (eg offer different languages)
  • 301 moved permanently
  • 302 found (originally “temporary redirect” in HTTP / 1.0 and popularly used for CGI scripts; superseded by 303 and 307 in HTTP / 1.1 but preserved for backward compatibility)
  • 303 see other (forces has GET request to the new URL even if original request was POST)
  • 307 temporary redirect (provides a new URL for the browser to resubmit a GET or POST request)
  • 308 permanent redirect (provides a new URL for the browser to resubmit a GET or POST request)

Redirect status codes and characteristics

HTTP Status Code HTTP Version Temporary / Permanent cacheable Request Method Subsequent Request
301 HTTP / 1.0 Permanent yes GET / POST may change
302 HTTP / 1.0 Temporary not by default GET / POST may change
303 HTTP / 1.1 Temporary never always GET
307 HTTP / 1.1 Temporary not by default may not change
308 HTTP / 1.1 Permanent by default may not change

[6]

All of these status codes require the URL of the redirect target to be given in the Location: header of the HTTP response. The 300 multiple choices will be your choice in the body of the message and the choice in the Location: header.

(Status codes 304 not modified and 305 use proxy are not redirects).

HTTP response example for a 301 redirect

A HTTP response with the 301 “Moved Permanently” redirect looks like this:

HTTP / 1.1 301 Moved Permanently
Location : http://www.example.org/
Content-Type : text / html
Content-Length : 174
< html >
< head >
< title > Moved </ title >
</ head >
< body >
< h1 > Moved </ h1 >
< p > This page has moved to < a href = "http://www.example.org/"> http://www.example.org/ </ a > . </ p >
</ body >
</ html >

Using server-side scripting for redirection

Web authoring HTML HTML Web site: http://www.youtube.com/watch?v=hsdxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The same is usually true for CGI scripts, though some servers allow scripts to add custom headers (eg by enabling “non-parsed-headers”). Many web servers will generate a 3xx status code if a script outputs a “Location:” header line. For example, in PHP , one can use the “header” function:

header ( 'HTTP / 1.1 301 Moved Permanently' );
header ( 'Location: http://www.example.com/' );
exit ();

More headers may be required to prevent caching. [7] The program must ensure that the headers are output before the body. This can not be done easily with the natural flow of control through the code. To help with this, some frameworks for server-side content generation can buffer the body data. In the ASP scripting language, this can be aussi Accomplished using response.buffer=trueand response.redirect "http://www.example.com/"HTTP / 1.1 Allows for Either a relative URI reference or an absolute URI reference. [8] If the URI reference is relative to the client computes the required absolute URI reference according to the rules defined in RFC 3986 . [9]

Apache mod_rewrite

The Apache HTTP Server mod_alias extension can be used to redirect certain requests. Typical configuration directives look like:

Permanent Redirect /oldpage.html http://www.example.com/newpage.html
 Redirect 301 /oldpage.html http://www.example.com/newpage.html

For more flexible URL rewriting and redirection, Apache mod_rewrite can be used. To request a canonical domain name:

RewriteEngine on
RewriteCond % {HTTP_HOST} ^ ([^ .:] + \.) * Oldsite \ .example \ .com \.? (: [0-9] *)? $ [NC]
 RewriteRule ^ (. *) $ http://newsite.example.net/$1 [R = 301, L]

Such configuration can be applied to a single .htaccessfile or to a single file through a file.

nginx rewrite

Nginx has an integrated http rewrite module, [10] which can be used to perform advanced URL processing and even web-page generation (with the return directive). A showing example of such advanced use of the rewrite module is mdoc.su , which implements a deterministic URL shortening service entirely with the help of nginx configuration language alone. [11] [12]

For example, if a request for /DragonFlyBSD/HAMMER.5 were to come along, it would first be redirected internally to /d/HAMMER.5 with the first rewrite directive. the customer just yet), and Then with the second rewrite directive, an HTTP response with a 302 status code Found Would Be Issued to the customer to redirect to the external Actually cgi script of web- man : [13]

location / DragonFly {
rewrite ^ / DragonFly (BSD)? ([, /]. *)? $ / d $ 2 last ;
}
location / d {
set $ db "http://leaf.dragonflybsd.org/cgi/web-man?command=" ;
set $ ds "& section =" ;
rewrite ^ /. / ([^ /] +) \. ([1-9]) $ $ db $ 1 $ ds $ 2 redirect ;
}

Refresh Meta tag and HTTP refresh header

Netscape introduced the meta refresh feature which reflects a certain amount of time. This can specify a new URL to replace one page with another. This is supported by most web browsers. [14] [15] A timeout of zero seconds effects an immediate redirect. This is treated like a permanent permitting, allowing transfer of PageRank to the target page. [16]

This is an example of a simple HTML document that uses this technique:

< html >
< head >
 < meta http-equiv = "Refresh" content = "0; url = http: //www.example.com/" />
</ head >
< body >
 < p > Please follow < a href = "http://www.example.com/" > this link </ a > . </ p >
</ body >
</ html >

This technique can be used by web authors because the meta tag is contained inside the document itself. The meta tag must be placed in the “head” section of the HTML file. The number “0” in this example may be replaced by a delay of that many seconds. The anchor in the “body” section is for users whose browsers do not support this feature.

The same effect can be achieved with an HTTP refreshheader:

HTTP / 1.1 200 OK
Refresh : 0; url = http: //www.example.com/
Content-Type : text / html
Content-Length : 78
Please follow < a href = "http://www.example.com/" > this link </ a > .

This response is made easier by the CGI programs because it is not necessary to change the default status code.

Here is a simple CGI program that effects this redirect:

#! / usr / bin / perl
print "Refresh: 0; url = http: //www.example.com/ \ r \ n" ;
print "Content-Type: text / html \ r \ n" ;
print "\ r \ n" ;
print "Please follow <a href=\"http://www.example.com/\"> this link </a>!"

Note: Usually, the HTTP server adds the status line and the Content-Length header automatically.

The W3C discourages the use of meta refresh, since it does not communicate any information about the original or new resource, to the browser (or search engine ). The W3C’s Web Content Accessibility Guidelines (7.4)discourage the creation of auto-refreshing pages, since most web browsers do not allow the user to disable or control the refresh rate. Some items That They Have written on the outcome include W3C Web Content Accessibility Guidelines (1.0): Ensure user control of time-sensitive happy exchange , Use standard redirects: do not break the back button! and Core Techniques for Web Content Accessibility Guidelines 1.0 section 7 .

JavaScript redirects

JavaScript can cause a redirect by setting the window.locationattribute, eg:

window . location = 'http://www.example.com/'

Normally JavaScript pushes the site redirector’s URL to the browser’s history. It can cause redirect when users hit the back button. With the following command you can prevent this type of behavior. [17]

window . rental . replace ( 'http://www.example.com/' )

HOWEVER, HTTP headers or the meta refresh tag May be preferred for security and Reasons Because JavaScript won’t be Executed By Some browsers And Many web crawlers .

Frame redirects

A slightly different effect can be achieved by creating an inline frame:

< Iframe height = "100%" width = "100%" src = "http://www.example.com/" >
Please follow < a href = "http://www.example.com/" > link < / a > .
</ iframe >

One main difference to the redirect method is that for a redirect frame, the browser displays the URL of the frame and the URL of the target page in the URL bar. This cloaking technique may be used as a more secure way to fraudulently conceal phishing site as part of website spoofing . [18]

Before HTML5, [19] the same effect could be done with an HTML frame that contains the target page:

< frameset rows = "100%" >
 < frame src = "http://www.example.com/" >
 < noframes >
 < body > Please follow < a href = "http://www.example.com/" > link </ a > . </ body >
 </ noframes >
</ frameset >

Redirect chains

One redirect may lead to another. For example, the URL ” http://wikipedia.com ” (with “* .com” as domain) is first redirected to https://www.wikipedia.org/ (with domain name in .org ), where you can navigate to the language-specific site . This is unavoidable if the different links in the chain are served by different servers, but it should be minimized by rewriting the URL as much as possible on the server.

Wikipedia has been redirecting its pages to HTTPS by default since 2015, according to this VentureBeat article dated June 12th.

Redirect loops

Sometimes a mistake can cause a page to end up redirecting back to itself, possibly via other pages, leading to an infinite sequence of redirects. Browsers should stop redirecting after a certain number of hops and display an error message.

The HTTP / 1.1 Standard states: [20]

SHOULD client detect and intervene in cyclical redirects (ie, “infinite” redirection loops).

An earlier version of this specification recommends a maximum of five redirects ([ RFC 2068 ], Section 10.3). Content developers need to be aware that some customers might have such a fixed limitation.

Note that the URLs in the sequence might not repeat, eg: http://www.example.com/1 -> http://www.example.com/2 -> http://www.example.com/3 …

Services

There are services that can perform URL redirection on demand, with no need for technical work or access to the web server.

URL redirection services

redirect service is an information management system, which provides an internet link that redirects users to the desired content. The typical benefit to the user is the use of a memorable domain name, and a reduction in the length of the URL or web address. A redirecting link can also be used as a permanent address for content that frequently changes hosts, similarly to the Domain Name System. Hyperlinks involving URL redirection services are frequently used in spam messages directed at blogs and wikis. Thus, one way to reduce spam is to reject all edits and comments containing hyperlinks to known URL redirection services; However, this will also be effective in reducing spam. Recently, URL redirection services have taken to using AJAX as an efficient, user friendly method for creating shortened URLs. A major drawback of some URL redirection services is the use of delay pages, or frame based advertising, to generate revenue.

History

The first redirect services took advantage of top-level domains (TLD) such as ” .to ” (Tonga), ” .at ” (Austria) and ” .is ” (Iceland). Their goal was to make memorable URLs. The first mainstream redirect service was V3.com that boasted 4 million users at its peak in 2000. V3.com has been awarded a number of memorable domains including “r.im”, “go.to”, “i .am “,” come.to “and” start.at “. V3.com was acquired by FortuneCity.com, a large free web hosting company, in early 1999. [21] $ 10.00 per year to less than $ 10.00, use of redirection services declined.in 2002 a new kind of redirecting service was born, namely URL shortening . Their goal was to make long URLs short, to be able to post them on internet forums. Since 2006, with the 140 character limit on the extremely popular Twitter service thesis short URL services-have beens Heavily used.

Referrer masking

Redirection services can hide the referrer by placing an intermediate page between the page and its destination. Although these are conceptually similar to other URLs, they serve a different purpose, and they are intended for use in the context of a particular destination. ) This kind of redirection is used to prevent prevention Often-Potentially malicious links from Gaining information using the referrer, for example a session IDin the query string. Many broad community websites use link redirection on external links to less than the chance of an exploit that could be used to steal account information, to make it easier to use a service, to lessen the chance of effective phishing .

Here is a simplistic example of such a service, written in PHP .

<? php
$ url = htmlspecialchars ( $ _GET [ 'url' ]);
header ( 'Refresh: 0; url = http: //' . $ url );
?>
<! - Fallback using meta refresh. ->
< html >
 < head >
 < title > Redirecting ... </ title >
 < meta http-equiv = "refresh" content = "0; url = http: // <? = $ url ; ?> " >
 <
 < Body >
 Attempting to redirect to < a href = "http: // <? = $ Url ; >? " > Http: // <? = $ url ; ?> </ a > .
 </ body >
</ html >

The above example does not check who called it (eg by referrer, while that could be spoofed). Also, it does not check the URL provided. This means that a malicious person could use a URL to a page that uses a URL of his / her / its own selection, from any page, which uses the web server’s resources.

Security issues

URL redirection can be abused by attackers for phishing attacks, such as open redirect and covert redirect . “An open redirect is an application that takes a parameter and adjusts to the parameter value without any validation.” [22] “Covert redirect is an application that takes a parameter and uses the parameter value WITHOUT SUFFICIENT validation.” [23] Wang Jing from Nanyang Technological University, Singapore. [24]

See also

  • Link rot
  • Canonical link element
  • Canonical meta tag
  • Domain masking
  • URL normalization
  • Semantic URL

References

  1. Jump up^ “Google revive redirect snoopery” . blog.anta.net . 2009-01-29. ISSN  1797-1993 . Archived from the original on 2011-08-17.
  2. Jump up^ “Redirects & SEO – The Total Guide” . Audisto . Retrieved 2015-11-29.
  3. Jump up^ “SEO advice: discussing 302 redirects” . Matt Cutts, train Head of Google Webspam Team. January 4, 2006.
  4. Jump up^ “Sneaky Redirects” . Google Webmaster Guidelines. December 3, 2015.
  5. Jump up^ “Unvalidated Redirects and Forwards Cheat Sheet” . Open Web Application Security Project (OWASP). August 21, 2014.
  6. Jump up^ “Redirects & SEO – The Complete Guide” . Audisto . Retrieved 2015-11-29 .
  7. Jump up^ “PHP Redirects: 302 to 301 Solid Rock Robust Solution” . WebSiteFactors.co.uk. Archived from the original on 2012-10-12.
  8. Jump up^ Roy T. Fielding; Julian F. Reschke, eds. (June 2014). “Location” . Hypertext Transfer Protocol (HTTP / 1.1): Semantics and Content . IETF. p. 68. sec. 7.1.2. RFC 7231.
  9. Jump up^ Berners-Lee, Tim ; Fielding, Roy T .; Masinter, Larry (January 2005). “Reference Resolution” . Uniform Resource Identifier (URI): Generic Syntax . IETF . p. 28. sec. RFC 3986.
  10. Jump up^ “Module ngx_http_rewrite_module – rewrite” . nginx.org . Retrieved 24 December 2014 .
  11. Jump up^ Murenin, Constantine A. (18 February 2013). “A dynamic web-site written wholly in nginx.conf? Introducing mdoc.su!” . nginx@nginx.org(Mailing list) . Retrieved 24 December 2014 .
  12. Jump up^ Murenin, Constantine A. (23 February 2013). “mdoc.su – Short manual page URLs for FreeBSD, OpenBSD, NetBSD and DragonFly BSD” . Retrieved 25 December 2014 .
  13. Jump up^ Murenin, Constantine A. (23 February 2013). “mdoc.su.nginx.conf” . Retrieved 25 December 2014 .
  14. Jump up^ HTML <meta> tag
  15. Jump up^ An exploration of dynamic documents
  16. Jump up^ “Google and Yahoo accept undelayed meta refresh as 301 redirects”. Sebastian’s Pamphlets. September 3, 2007.
  17. Jump up^ “cross-browser client side URL redirect generator” . Insider Zone.
  18. Jump up^ Aaron Emigh (19 January 2005). “Anti-Phishing Technology”(PDF). Radix Labs.
  19. Jump up^ https://www.w3.org/TR/html5/obsolete.html
  20. Jump up^ Roy T. Fielding ; Julian F. Reschke, eds. (June 2014). “3xx Redirection” . Hypertext Transfer Protocol (HTTP / 1.1): Semantics and Content . IETF . p. 54. sec. 6.4. RFC 7231.
  21. Jump up^ “Net gains for tiny Pacific nation” . BBC News . 2007-09-14 . Retrieved 2010-05-27 .
  22. Jump up^ “Open Redirect” . OWASP. March 16, 2014 . Retrieved 21 December2014 .
  23. Jump up^ “Covert Redirect” . Tetraph. May 1, 2014 . Retrieved 21 December2014 .
  24. Jump up^ “Serious security flaw in OAuth, OpenID discovered” . CNET. May 2, 2014 . Retrieved 21 December 2014 .