Follow redirects

How to follow a 3xx response's `Location` header to the final destination, and conversely how to observe redirects without following them.

Overview

How to follow a 3xx response's `Location` header to the final destination, and conversely how to observe redirects without following them.

In code

# follow up to 10 redirects and show the final response:
curl -L --max-redirs 10 https://example.com/old-path

# see the redirect chain without following bodies:
curl -sIL https://example.com/old-path
// fetch follows redirects by default (redirect: 'follow').
const res = await fetch('https://example.com/old-path');
console.log(res.redirected, res.url); // true, final URL

// to inspect instead of follow:
const raw = await fetch('https://example.com/old-path', { redirect: 'manual' });
import requests

res = requests.get('https://example.com/old-path')  # follows by default
print(res.url)          # final URL
print([r.status_code for r in res.history])  # the redirect chain

# disable: requests.get(url, allow_redirects=False)

Details

curl does not follow redirects by default, so pass `-L`, and cap the count with `--max-redirs` to avoid loops. `fetch` and `requests` follow by default, so to inspect the redirect itself turn it off with `redirect: 'manual'` or `allow_redirects=False`.

Method-preservation rules differ by code. 301/302/303 often turn a POST into a GET, whereas 307/308 preserve the original method and body. So the outcome of redirecting a POST depends heavily on which code you get.

Mind security when following. On a cross-origin hop, curl drops the `Authorization` header by default. An HTTP→HTTPS upgrade redirect is safe, but blindly following a `Location` from an untrusted server risks SSRF and credential leakage.

Related headers

Related status codes