Redirect Checker Online Free

Q: How long should a redirect chain be?

Each hop adds one round-trip — TCP plus TLS plus HTTP — and increases the chance of the chain breaking. Browsers and HTTP clients enforce maximum chain limits to prevent loops: Chromium and Firefox cap at 20 redirects, Safari at 16, curl defaults to 50 (configurable via --max-redirs), Python's requests library defaults to 30. RFC 9110 §15.4 says clients SHOULD limit chain length but doesn't mandate a number. From a performance perspective, every redirect adds approximately 50–200 ms depending on geography and TLS resumption. Best practice is to keep chains to one hop maximum — the typical legitimate cases are HTTP-to-HTTPS (HSTS preload makes this skippable) and apex-to-www (or vice versa) for canonicalisation.

Q: What is HSTS preload and how does it interact with redirects?

HSTS (HTTP Strict Transport Security, RFC 6797 Hodges, Jackson & Barth, 2012) tells browsers to upgrade all subsequent HTTP requests for a domain to HTTPS automatically. Once a domain is preloaded into Chromium's HSTS preload list (hstspreload.org, also used by Firefox, Safari, and Edge), browsers refuse plain HTTP entirely — which means the first HTTP-to-HTTPS redirect is skipped: the browser jumps straight to HTTPS internally without ever hitting the HTTP endpoint. This eliminates one redirect hop and closes a man-in-the-middle window during the initial TLS upgrade. Preload list inclusion requires a max-age of at least one year (31536000 seconds), the includeSubDomains directive, and the preload directive in the HSTS response header. Hstspreload.org's deployment guidance recommends ramping max-age in stages (5 minutes → 1 week → 1 month) before submission, but the staged ramp is guidance, not a strict admission requirement. Once added, removal takes weeks — design accordingly.

Q: What is an open redirect vulnerability?

An open redirect (CWE-601 per MITRE, falling under OWASP A01:2021 Broken Access Control) occurs when a web application accepts a user-controlled URL parameter and redirects to it without validation — for example example.com/redirect?url=evil.com. Attackers exploit this for phishing campaigns: the trusted parent domain in the URL gives credibility while the actual destination is malicious. Common attack vectors include redirect-after-login flows, email tracking pixels, and 'continue to' parameters. Mitigations include maintaining an allowlist of acceptable redirect targets, rejecting absolute URLs in user input, and whitelist-validating against same-origin. Reject schemes other than https/http; specifically reject userinfo, javascript:, and data: schemes. The CWE catalogue entry was added by MITRE in 2007 (CWE Draft 6).

Q: Why does this tool show different chains than my browser?

Browsers add layers raw HTTP doesn't see: HSTS upgrades (described above), cookies that affect server-side redirect logic, geo-IP detection at the edge that varies routing, Service Worker cache that intercepts requests entirely, and HTTP/3 negotiation that can shortcut through alt-svc. This tool follows redirects from a Cloudflare Worker without browser cookies, without HSTS state, and without service worker layers — the result is what a fresh, cold HTTP client sees. If your browser shows a different chain it's typically because of HSTS upgrades (not visible in raw protocol) or cookie-driven server logic. To match this tool's view in your browser: open DevTools Network tab with 'Disable cache' and 'Preserve log' enabled, then test in an incognito or private window.

Trace HTTP Redirect Chains — 301, 302, 307, 308 + HSTS

HTTP redirects (3xx status codes) tell clients to retry the same request at a different URL. RFC 9110 §15.4 (Fielding, Nottingham & Reschke, 2022) defines five redirect types: 301 Moved Permanently, 302 Found, 303 See Other, 307 Temporary Redirect, and 308 Permanent Redirect. The practical distinction is method preservation — 307 and 308 preserve the original HTTP method (POST stays POST), while 301/302/303 historically converted POST to GET on retry, losing the request body. Google Search Central (Gary Illyes, 2016) confirmed that 30x redirects no longer lose PageRank for SEO, so the choice between 301 and 302 is now about HTTP semantics, not ranking. This tool traces the complete chain hop-by-hop from a Cloudflare edge server: status code, response headers, target URL at each stage, and the final destination. HSTS-preloaded domains skip the first HTTP→HTTPS redirect entirely (RFC 6797 Hodges, Jackson & Barth, 2012). Useful for SEO migration audits, debugging www↔apex flapping, catching mixed HTTP/HTTPS chains, and identifying open-redirect vulnerabilities (CWE-601 / OWASP A01:2021).

How to check a redirect chain

Enter the starting URL — the tool follows every 3xx response from a Cloudflare edge server.
Each hop shows status code, target URL, and key response headers (Location, Strict-Transport-Security, Set-Cookie).
Review the final URL to confirm it matches your expected destination — and the path doesn't leak through unintended hops (tracking shorteners, www↔apex, mixed HTTPS).
If you see >2 hops or HTTP+HTTPS mixing, audit the upstream redirect rules (DNS, CDN, application) before relying on the chain in production.

Common use cases

Auditing an HTTP→HTTPS migration to verify the upgrade is a permanent 301/308 (not a temporary 302/307 that breaks SEO continuity).
Catching accidental redirect chains that pass through www→apex→www before reaching the final canonical URL.
Verifying a marketing short link resolves to the expected landing page without extra tracking hops.
Investigating an open-redirect vulnerability (CWE-601) report by tracing user-controlled URL parameters through the chain.

Frequently asked questions

What's the practical difference between 301, 302, 303, 307, 308?

RFC 9110 §15.4 defines five 3xx redirect types. 301/302/303 historically converted POST→GET; 307/308 preserve method+body. Since 2016 Google treats all 30x equally for PageRank (Gary Illyes statement), so the choice is about HTTP semantics, not SEO.

How long should a redirect chain be?

Aim for 1 hop maximum. Browsers cap at 16-20 redirects (Chromium 20, Safari 16). Each hop adds ~50-200 ms; multi-hop chains compound cost and break more often.

What is HSTS preload and how does it interact with redirects?

RFC 6797 HSTS preload tells browsers to upgrade plain HTTP to HTTPS internally without a redirect. Once preloaded (hstspreload.org), the first HTTP→HTTPS redirect hop is skipped entirely — eliminating both a round-trip and a MITM window.

What is an open redirect vulnerability?

CWE-601 (OWASP A01:2021): a redirect endpoint accepts a user-controlled URL without validation, letting attackers forge phishing URLs that look like your domain but route to malicious sites. Mitigate with allowlists or same-origin constraints.

Why does this tool show different chains than my browser?

Browsers add HSTS upgrades, cookies, service workers, and geo-IP routing. This tool follows redirects from a clean Cloudflare Worker — what a cold HTTP client sees. To match: open DevTools Network with 'Disable cache' + 'Preserve log' in an incognito window.

Why redirect chains matter, what clients allow, and how attackers abuse them

Each redirect hop is one round-trip — TCP plus TLS plus HTTP — adding 50-200 ms depending on geography and TLS session resumption. Chains compound this cost; a 5-hop chain can add nearly a full second to first-byte time. RFC 9110 §15.4 says clients SHOULD limit chain length but doesn't mandate a number; in practice Chromium and Firefox cap at 20 redirects, Safari at 16, curl defaults to 50 (--max-redirs configurable), and Python's requests library defaults to 30. Beyond limits, browsers display 'too many redirects' and stop. From a security standpoint, open redirects (CWE-601 per MITRE; OWASP A01:2021 Broken Access Control category) occur when an application accepts a user-controlled URL parameter for redirection without validation. Phishing campaigns abuse these because the legitimate parent domain in the URL gives credibility. Common patterns are 'continue to ?url=' parameters in login flows. Mitigation: maintain an allowlist of acceptable destinations, or constrain to same-origin. HSTS preloading (RFC 6797) closes another window — once a domain is preloaded into the browser's HSTS list, plain HTTP requests are upgraded internally before they hit the wire, eliminating the first HTTP→HTTPS redirect hop and the man-in-the-middle window during initial TLS upgrade.

Full redirect chain visualization (every 3xx hop with status code per RFC 9110 §15.4)
Status codes 301/302/303/307/308 with method-preservation distinction (307+308 preserve POST)
Final destination URL after the chain resolves
Up to 10 redirect hops traced (under browser limits 16-20)
HSTS preload + HTTP→HTTPS upgrade detection (RFC 6797)
Open-redirect vulnerability hint (CWE-601 / OWASP A01:2021 patterns)

Free. No signup. Browser tools (subnet, JWT, password strength) run locally; lookup tools query public APIs (Cloudflare DoH, RDAP, certificate logs). Full per-tool breakdown at /methodology/.

Sources (5)

Fielding, R., Nottingham, M., & Reschke, J. (Eds.) (2022). HTTP Semantics. RFC 9110, IETF (§15.4 Redirection 3xx — 301/302/303/307/308 method preservation).
Hodges, J., Jackson, C., & Barth, A. (2012). HTTP Strict Transport Security (HSTS). RFC 6797, IETF (preload list interactions).
MITRE Corporation (live). CWE-601: URL Redirection to Untrusted Site ('Open Redirect'). cwe.mitre.org/data/definitions/601.html.
Open Web Application Security Project (OWASP) (2021). OWASP Top 10:2021 — A01 Broken Access Control. owasp.org/Top10/A01_2021-Broken_Access_Control.
Illyes, G. (Google) (2016). 30x redirects don't lose PageRank anymore. Google Search Central confirmation (developers.google.com/search/docs/crawling-indexing/301-redirects).

These are the IETF RFCs, NIST publications, and W3C standards the tool implements or queries. Locate them on the IETF Datatracker (datatracker.ietf.org) or the official standards body.

Related guides

HTTP Status Codes in Monitoring — Which Trigger Alerts, Which Don'tNot every non-200 is an outage. A practical guide to which HTTP status codes should page you and which are just noise.

By Marco B. · Last verified June 2026 — runs in your browser