How Link Redirection Works: A Technical Deep Dive into HTTP Redirects
Every time you click a shortened link, something invisible happens in the space between your click and the page loading: an HTTP redirect. It takes milliseconds, but behind that instant is a carefully specified protocol interaction that has been refined over three decades of web standards. This article explains exactly what happens — from the raw bytes on the wire to the browser behavior you never see.
Whether you're a web developer, a marketer who wants to understand what your tools actually do, or just someone who's curious about how the internet works, this guide covers the full technical picture of HTTP redirection.
The Basics: What Is an HTTP Redirect?
An HTTP redirect is a server's way of telling a client, "The thing you asked for isn't here — go look over there instead." It's a two-step process:
- The client (usually a web browser) sends an HTTP request to a URL.
- The server responds not with the requested content, but with a special status code and a
Locationheader pointing to a different URL.
The client then automatically makes a new request to the URL specified in the Location header. To the user, this is invisible — they just see the final page load.
Here's what a redirect looks like at the HTTP protocol level. When you visit iu.pe/xK7mNp, your browser sends a request like this:
GET /xK7mNp HTTP/1.1
Host: iu.pe
Accept: text/htmlThe server responds with:
HTTP/1.1 301 Moved Permanently
Location: https://example.com/my-long-destination-url
Content-Length: 0The browser sees the 301 status code, reads the Location header, and immediately fires off a new request to https://example.com/my-long-destination-url. The user never sees the intermediate response.
The Location Header: Where Redirects Point
The Location header field is the heart of every redirect. Defined in RFC 9110, Section 10.2.2, it contains a URI reference that indicates the target resource the client should follow.
The value of the Location header can be:
- An absolute URI — like
https://example.com/page. This is the most common form and the only form guaranteed to work across all clients. - A relative reference — like
/other-pageor../sibling. The client resolves this against the request URI. While RFC 9110 explicitly allows relative references (overruling older interpretations of RFC 2616), absolute URIs are preferred for maximum compatibility.
A redirect response without a Location header is technically valid but practically useless for redirection — the client has nowhere to go. Most servers always include it when sending a 3xx status code.
HTTP Redirect Status Codes: The Complete Family
HTTP defines several 3xx status codes for redirection, each with distinct semantics. Understanding the differences matters because they affect browser behavior, HTTP method preservation, caching, and SEO. All of these are defined in RFC 9110, Section 15.4.
301 Moved Permanently
The 301 status code means the target resource has been assigned a new permanent URI. The server is saying: "This resource has moved forever. Update your bookmarks."
HTTP/1.1 301 Moved Permanently
Location: https://example.com/new-locationKey behaviors:
- Browsers and search engines should remember this redirect and go directly to the new URL in the future.
- Browsers are permitted to cache 301 responses indefinitely (unless
Cache-Controlheaders say otherwise). - Search engines transfer the link equity ("SEO juice") from the old URL to the new one.
- Historical quirk: The HTTP specification says the request method should not change during a 301 redirect. But in practice, virtually every browser changes POST requests to GET when following a 301. This behavior is technically a violation of the spec, but it's so widespread that it's considered standard. RFC 9110 acknowledges this: "For historical reasons, a user agent MAY change the request method from POST to GET for the subsequent request."
This is the status code most URL shorteners use, including LinkDisguiser. It's ideal because the mapping between a shortcode and its destination is a permanent association — the short link always points to the same place.
302 Found
The 302 status code means the target resource temporarily resides at a different URI. The server is saying: "Go here for now, but keep using the original URL in the future."
HTTP/1.1 302 Found
Location: https://example.com/temporary-locationKey behaviors:
- Browsers should not cache this redirect permanently. Each time the user visits the original URL, the browser should check with the server again.
- Search engines generally do not transfer link equity to the target URL — they keep the original URL in their index.
- Same historical quirk as 301: Browsers typically change POST to GET when following a 302, despite the spec saying the method should be preserved. This was such a persistent issue that it led to the creation of two new status codes (303 and 307) to disambiguate the behavior.
302 is appropriate when a redirect is genuinely temporary — for example, redirecting users to a maintenance page, or A/B testing different landing pages.
303 See Other
The 303 status code was introduced in HTTP/1.1 specifically to address the POST-to-GET ambiguity of 301 and 302. It means: "The response to your request can be found at this other URL, and you should use GET to retrieve it."
HTTP/1.1 303 See Other
Location: https://example.com/confirmation-pageKey behaviors:
- The client must use the GET method for the follow-up request, regardless of what method was used originally.
- This is the correct status code for the Post/Redirect/Get (PRG) pattern — after processing a form submission, the server redirects the user to a confirmation page via 303, ensuring that refreshing the page doesn't resubmit the form.
You'll rarely see 303 in URL shortening because short links are accessed via GET, not POST. But it's an important part of the redirect family.
307 Temporary Redirect
The 307 status code was also introduced to fix the method-changing problem. It means the same thing as 302 (temporary redirect), but with one critical difference: the client must not change the HTTP method.
HTTP/1.1 307 Temporary Redirect
Location: https://example.com/temporary-locationKey behaviors:
- If the original request was a POST with a body, the redirected request must also be a POST with the same body.
- Browsers will usually prompt the user before resending a POST request to the new URL for safety reasons.
- The redirect is temporary — clients should continue to use the original URL for future requests.
307 is commonly used by HTTPS enforcement mechanisms. When a server wants to redirect HTTP traffic to HTTPS without changing the request method (important for API endpoints), 307 is the correct choice.
308 Permanent Redirect
The 308 status code, defined in RFC 9110, Section 15.4.9, is the permanent counterpart to 307. It means the same thing as 301 (permanent redirect), but the client must not change the HTTP method.
HTTP/1.1 308 Permanent Redirect
Location: https://example.com/new-permanent-locationKey behaviors:
- The redirect is permanent — clients should update stored references.
- The request method must be preserved. A POST stays a POST.
- This is the "correct" version of 301 for cases where method preservation matters.
308 is relatively new (originally defined in RFC 7538, later incorporated into RFC 9110) and isn't universally used yet, but it's well-supported by all modern browsers.
The Complete Picture
The redirect status codes form a clean matrix based on two properties — permanence and method preservation:
| May change method to GET | Must preserve method | |
|---|---|---|
| Temporary | 302 Found | 307 Temporary Redirect |
| Permanent | 301 Moved Permanently | 308 Permanent Redirect |
There's also 303 See Other, which sits outside this matrix — it always changes the method to GET, regardless of the original method, and is inherently temporary.
What Happens Inside the Browser
When a browser encounters a redirect response, it follows a specific sequence of steps. Understanding this helps explain why redirects are so fast and why users rarely notice them.
Step 1: DNS Resolution
Before anything else, the browser resolves the hostname of the short URL (e.g., iu.pe) to an IP address using DNS. If the browser has recently visited the same domain, the DNS result may already be cached.
Step 2: TCP Connection and TLS Handshake
The browser establishes a TCP connection to the server. If the URL uses HTTPS (which it should), a TLS handshake follows, negotiating encryption parameters. With HTTP/2 or HTTP/3, the browser may reuse an existing connection if one is already open to that server.
Step 3: Sending the HTTP Request
The browser sends the HTTP request. For a typical short link click, this is a simple GET request with headers like Host, User-Agent, Accept, and potentially Referer (the page the user clicked from).
Step 4: Receiving the Redirect Response
The server processes the request, looks up the shortcode in its database, and returns the redirect response with the appropriate status code and Location header. A well-optimized URL shortener completes this lookup and response in single-digit milliseconds.
Step 5: Following the Redirect
The browser reads the Location header and initiates a new request to the destination URL. This means a second DNS lookup (for the destination domain), a new TCP/TLS handshake (if no existing connection), and a new HTTP request. The browser updates the address bar to show the final destination URL.
Step 6: Caching Behavior
For 301 and 308 redirects, the browser may cache the redirect mapping. The next time the user visits the same short link, the browser can skip the server entirely and go directly to the destination. The caching duration is controlled by the Cache-Control and Expires headers in the redirect response.
For 302 and 307 redirects, browsers typically don't cache the mapping (unless explicit caching headers are present), so every visit hits the server again.
Redirect Chains: When Redirects Point to Redirects
A redirect chain occurs when the destination of one redirect is itself another redirect. For example:
iu.pe/abc --301--> http://example.com/page
http://example.com/page --301--> https://example.com/page
https://example.com/page --301--> https://www.example.com/pageIn this scenario, a single click triggers three HTTP round trips before the user sees any content. Each hop adds latency — typically 50-200ms depending on geography and server speed.
Why redirect chains happen:
- HTTP to HTTPS upgrades (the server redirects insecure requests to secure ones)
- Domain normalization (redirecting non-www to www, or vice versa)
- URL shorteners that point to other URL shorteners
- Legacy URL structures that have been reorganized multiple times
Why they're problematic:
- Performance: Each redirect adds a full round trip. Three redirects can add 300-600ms to page load time.
- SEO: Google follows redirect chains but discounts link equity with each hop. Google has stated they will follow up to 10 redirects before giving up, but equity loss increases with chain length.
- Reliability: Each link in the chain is a potential point of failure. If any server in the chain is down, the entire redirect fails.
Browser limits: Browsers impose limits on redirect chains to prevent infinite loops. Most browsers follow a maximum of 20 redirects before displaying an error (Chrome shows "ERR_TOO_MANY_REDIRECTS"). RFC 9110 doesn't mandate a specific limit but notes that "a client SHOULD detect and intervene in cyclical redirections."
How URL Shorteners Use Redirects
At its core, a URL shortener is a specialized redirect server. Here's how the process works inside a service like LinkDisguiser:
Creating a Short Link
- The user submits a destination URL (e.g.,
https://example.com/very/long/path?with=parameters). - The server generates a unique shortcode — a random alphanumeric string like
xK7mNp. The length of the code determines the namespace: 6 characters using a-z, A-Z, and 0-9 gives 62^6 = 56.8 billion possible codes. - The server stores the mapping (shortcode to destination URL) in a database.
- The server returns the short URL:
iu.pe/xK7mNp.
Clicking a Short Link
- The user clicks or navigates to
iu.pe/xK7mNp. - The request arrives at the URL shortener's server.
- The server extracts the path (
xK7mNp) and looks it up in the database. - If found, the server records analytics data (timestamp, IP address, referrer, user agent) and returns a 301 redirect to the destination URL.
- If not found (or if the link has expired), the server returns a 404 Not Found or 410 Gone response.
Why 301 and Not 302?
Most URL shorteners use 301 (Moved Permanently) because:
- SEO pass-through: A 301 tells search engines to transfer ranking value to the destination URL. If someone links to your short URL, the SEO benefit flows through to your actual page.
- Performance: Browsers cache 301 redirects, so repeat visitors may skip the shortener entirely and go straight to the destination. This reduces server load and improves user experience.
- Semantic correctness: A shortcode-to-URL mapping is a permanent association. The shortcode
xK7mNpwill always point to the same destination (assuming it's not deleted or edited), so "permanently moved" is the accurate description.
Some shorteners use 302 instead, typically because they want every click to pass through their servers for analytics tracking (since browsers don't cache 302s). This is a trade-off between accurate click counting and SEO/performance benefits.
The Referer Header: Where Did the Click Come From?
When a browser follows a link from one page to another, it includes a Referer header (yes, the misspelling is intentional — it was a typo in the original HTTP spec from 1995 that has been preserved for backward compatibility) in the request. This header contains the URL of the page the user was on when they clicked the link.
GET /xK7mNp HTTP/1.1
Host: iu.pe
Referer: https://twitter.com/someuser/status/123456URL shorteners capture this header to build referrer analytics — showing you that your short link was clicked from Twitter, an email client, a specific blog post, or a direct visit (no referrer).
However, the Referer header isn't always present. It's suppressed when:
- The referring page uses the
Referrer-Policy: no-referrerheader. - The user navigated from an HTTPS page to an HTTP destination (browsers strip the referrer for security).
- The link includes a
rel="noreferrer"attribute. - The user typed or pasted the URL directly into the address bar.
- The user clicked the link from a bookmarks bar or application.
This is why analytics tools categorize some traffic as "Direct" — it's traffic where no referrer information was available.
Security Considerations
HTTP redirects are powerful, which also makes them a potential attack vector. Several security concerns are associated with redirects:
Open Redirect Vulnerabilities
An open redirect is a URL on a trusted domain that redirects to any arbitrary URL. Attackers exploit this for phishing: they craft a URL on a trusted domain (like a bank's website) that redirects to a malicious lookalike. The victim sees the trusted domain in the link and clicks without suspicion.
URL shorteners are inherently open redirectors — that's their purpose. They mitigate the risk by scanning destination URLs against malware/phishing databases and by making it clear (through branding and education) that a short link could point anywhere.
Redirect Loops
A redirect loop occurs when URL A redirects to URL B, which redirects back to URL A. This creates an infinite cycle. Browsers detect these and stop after a set number of hops, displaying an error page. URL shorteners prevent this by validating that the destination URL is not another link on the same shortener domain.
HTTPS Downgrade
If a shortener redirects from HTTPS to an HTTP destination, the user's connection to the destination is unencrypted. Modern shorteners mitigate this by warning about or blocking HTTP-only destinations, though most accept them since the destination site's TLS configuration is beyond the shortener's control.
Less Common Redirect Codes
Beyond the five main redirect codes, HTTP defines a few others worth mentioning:
- 300 Multiple Choices: The server is offering multiple representations of the resource (e.g., different languages or formats) and the client should choose one. Rarely used in practice.
- 304 Not Modified: Technically in the 3xx range but not a redirect — it's a response to a conditional request telling the client to use its cached copy. Included here because it's often confused with redirects.
HTTP/2, HTTP/3, and Redirects
The newer HTTP protocol versions don't change redirect semantics — a 301 is still a 301 — but they do affect performance:
- Connection reuse: HTTP/2 and HTTP/3 multiplex requests over a single connection. If the redirect stays on the same domain, the follow-up request doesn't need a new TCP/TLS handshake.
- Server push (HTTP/2): In theory, a server could push the destination resource along with the redirect response, eliminating the extra round trip. In practice, this is rarely implemented for redirects and HTTP/2 server push has been deprecated in some browsers.
- QUIC (HTTP/3): Built on UDP rather than TCP, HTTP/3 reduces connection establishment time. Redirects to different domains benefit from faster handshakes.
HSTS and Redirect Elimination
HTTP Strict Transport Security (HSTS) can eliminate one common redirect entirely. When a server sends the Strict-Transport-Security header, the browser remembers that this domain should only be accessed over HTTPS. On subsequent visits, the browser automatically upgrades http:// URLs to https:// before sending the request, avoiding the HTTP-to-HTTPS redirect entirely.
Strict-Transport-Security: max-age=31536000; includeSubDomainsSites on the HSTS preload list go one step further — the browser knows to use HTTPS from the very first visit, without ever needing to receive the HSTS header. This eliminates the redirect for first-time visitors too.
Practical Implications for Link Shortening
Understanding redirect mechanics has real consequences for anyone who uses or builds a URL shortener:
- Choose 301 for SEO. If you want link equity to pass through to the destination, use 301. This is the default for most shorteners, including LinkDisguiser.
- Minimize redirect chains. If your destination URL itself redirects (e.g., HTTP to HTTPS, non-www to www), you're adding unnecessary hops. Ideally, point your short link directly at the final, canonical URL.
- Use HTTPS everywhere. Your short link domain should use HTTPS. The destination should too. This preserves referrer data and prevents security warnings.
- Keep the shortener fast. Since the redirect is a blocking step in page load, the shortener's database lookup and response time directly affect user experience. Milliseconds matter.
- Monitor for broken destinations. A short link is only as reliable as its destination. If the destination returns a 404, the short link becomes a dead end.
Try LinkDisguiser Free
Create short links with instant redirects, click analytics, and full link management — no signup required.
Start ShorteningFurther Reading
If you want to go even deeper into the HTTP specification:
- RFC 9110 — HTTP Semantics: the current authoritative specification for HTTP status codes, headers, and redirect behavior.
- RFC 9111 — HTTP Caching: defines how responses (including redirects) can be cached by browsers and intermediaries.
- RFC 6797 — HTTP Strict Transport Security (HSTS): defines the mechanism for eliminating HTTP-to-HTTPS redirects.
- RFC 7538 — The 308 (Permanent Redirect) status code: the original specification for 308 before it was incorporated into RFC 9110.
The web is built on redirects. Every URL shortener, every HTTPS upgrade, every domain migration, and every "moved page" depends on this mechanism. It's one of the simplest parts of the HTTP specification — just a status code and a header — but it's also one of the most consequential.