HTTP

Header

Location

Learn how the Location header specifies redirect URLs or the location of newly created resources. Essential for 201, 301, 302, and other redirect responses.

4 min read beginner Try in Playground
#headers #response #redirect #creation

What is Location?

TL;DR: Specifies the URL to redirect to or where a newly created resource is located. Essential for redirects and RESTful API resource creation.

Location tells the browser where to go next. It’s used in two main scenarios: redirects (when a page has moved) and resource creation (when something new is created). Think of it as a forwarding address or a “you can find it here” pointer.

This header is essential for proper navigation, SEO, and RESTful API design.

How It Works

Redirects

When a page has moved permanently:

HTTP/1.1 301 Moved Permanently
Location: https://example.com/new-page
Content-Length: 0
```text

Browser automatically navigates to the new URL.

### Resource Creation

When creating a new resource via API:

```http
HTTP/1.1 201 Created
Location: https://api.example.com/users/123
Content-Type: application/json

{"id": 123, "name": "John", "email": "john@example.com"}

Client knows where to find the newly created user.

Redirect Status Codes

301 Moved Permanently

Resource has permanently moved:

HTTP/1.1 301 Moved Permanently
Location: https://example.com/new-location
```nginx

- Search engines update their indexes
- Browsers cache the redirect
- Use for permanent URL changes

### 302 Found (Temporary Redirect)

Resource temporarily at different location:

```http
HTTP/1.1 302 Found
Location: https://example.com/temporary-location
  • Search engines keep original URL
  • Browsers don’t cache the redirect
  • Use for temporary moves

303 See Other

Redirect to different resource (often after POST):

HTTP/1.1 303 See Other
Location: https://example.com/success-page
```nginx

- Always use GET for the redirect
- Common after form submissions
- Prevents duplicate submissions

### 307 Temporary Redirect

Like 302 but preserves HTTP method:

```http
HTTP/1.1 307 Temporary Redirect
Location: https://example.com/temporary-location
  • Maintains original HTTP method (POST stays POST)
  • More explicit than 302

308 Permanent Redirect

Like 301 but preserves HTTP method:

HTTP/1.1 308 Permanent Redirect
Location: https://example.com/new-location
```text

- Maintains original HTTP method
- More explicit than 301

## URL Formats

### Absolute URLs

Full URL with protocol and domain:

```http
Location: https://example.com/path/to/resource

Works from any context.

Relative URLs

Path relative to current domain:

Location: /path/to/resource
```text

Browser constructs full URL using current domain.

### Protocol-Relative URLs

Inherits current protocol (http/https):

```http
Location: //example.com/path/to/resource

Useful for mixed HTTP/HTTPS environments.

Real-World Examples

Website Restructuring

Old blog moved to new domain:

GET /old-blog-post HTTP/1.1
Host: oldsite.com

HTTP/1.1 301 Moved Permanently
Location: https://newsite.com/blog/same-post
```text

### User Authentication

Redirect to login page:

```http
GET /dashboard HTTP/1.1

HTTP/1.1 302 Found
Location: /login?redirect=/dashboard

Form Submission

Redirect after successful form post:

POST /contact HTTP/1.1
Content-Type: application/x-www-form-urlencoded

name=John&email=john@example.com

HTTP/1.1 303 See Other
Location: /thank-you
```text

### API Resource Creation

Creating a new user:

```http
POST /api/users HTTP/1.1
Content-Type: application/json

{"name": "Jane", "email": "jane@example.com"}

HTTP/1.1 201 Created
Location: /api/users/456
Content-Type: application/json

{"id": 456, "name": "Jane", "email": "jane@example.com"}

HTTPS Enforcement

Redirect HTTP to HTTPS:

GET / HTTP/1.1
Host: example.com

HTTP/1.1 301 Moved Permanently
Location: https://example.com/
```text

## SEO Considerations

### 301 vs 302 for SEO

```http
✅ Permanent move - use 301:
HTTP/1.1 301 Moved Permanently
Location: https://example.com/new-page

❌ Temporary move - don't use 301:
HTTP/1.1 302 Found
Location: https://example.com/maintenance-page

Redirect Chains

Avoid multiple redirects:

❌ Bad: A → B → C → D (slow, bad for SEO)
✅ Good: A → D (direct redirect)
```text

### Canonical URLs

Use consistent URL format:

```http
# Always redirect to canonical version
example.com → www.example.com
http://example.com → https://example.com

Security Considerations

Open Redirect Vulnerability

Never redirect to user-controlled URLs:

Dangerous:
app.get('/redirect', (req, res) => {
  res.redirect(req.query.url) // User can redirect anywhere!
})

Safe:
app.get('/redirect', (req, res) => {
  const allowedUrls = ['/dashboard', '/profile', '/settings']
  const url = req.query.url

  if (allowedUrls.includes(url)) {
    res.redirect(url)
  } else {
    res.redirect('/') // Default safe redirect
  }
})
```text

### HTTPS Redirects

Always redirect to HTTPS for security:

```http
HTTP/1.1 301 Moved Permanently
Location: https://example.com/secure-page
Strict-Transport-Security: max-age=31536000

Best Practices

1. Use appropriate status codes:

301 - Permanent moves (SEO passes to new URL)
302 - Temporary moves (SEO stays with original)
303 - After POST to prevent resubmission
```text

**2. Always use absolute URLs for external redirects:**

```http
✅ Location: https://external-site.com/page
❌ Location: //external-site.com/page (can be ambiguous)

3. Include Location with 201 Created:

HTTP/1.1 201 Created
Location: /api/resources/123
```javascript

**4. Validate redirect destinations:**

```javascript
const isValidRedirect = (url) => {
  return url.startsWith('/') || url.startsWith('https://mysite.com')
}

5. Limit redirect chains:

Maximum 3-5 redirects to avoid performance issues

Common Patterns

Post-Redirect-Get (PRG)

Prevent duplicate form submissions:

POST /submit-form HTTP/1.1
[form data]

HTTP/1.1 303 See Other
Location: /success
```text

### Trailing Slash Normalization

```http
GET /page HTTP/1.1

HTTP/1.1 301 Moved Permanently
Location: /page/

Mobile Redirects

GET / HTTP/1.1
User-Agent: Mobile Browser

HTTP/1.1 302 Found
Location: https://m.example.com/

Frequently Asked Questions

What is the Location header?

Location specifies the URL to redirect to. It is used with 3xx redirect responses and 201 Created to indicate where the new resource was created.

Should Location be absolute or relative?

Use absolute URLs for maximum compatibility. While relative URLs are allowed, some older clients may not handle them correctly. Always include the full URL.

When is Location used with 201?

With 201 Created, Location points to the newly created resource. This lets clients know where to find the resource they just created via POST.

What happens if Location is missing from a redirect?

Browsers may show an error or the redirect body content. Always include Location with redirect status codes. The redirect cannot work without it.

Keep Learning

Hub

HTTP Headers

Browse the full index for this topic.

 Tool

Header Inspector

Fetch any URL and analyze its response headers.

 Tool

Site Verifier

Scan SSL/TLS, security headers, cookies, and caching for any URL.

 Tool

HTTP Playground

Send requests and inspect responses interactively.