Permanent redirecting
tl;dr: Don't use permanent redirects (301) at all. You will never really need them.
When it comes to redirecting, people are often shooting themselves in the foot without realising. In an attempt to save you from trouble, I will go over some options first.
A short overview between the four main redirect status codes:
Permanent | Temporary | |
---|---|---|
Allows changing the request method from POST to GET | 301 | 302 |
Doesn't allow changing the request method from POST to GET | 308 | 307 |
For a more detailed list of differences between all status codes, visit this stackoverflow thread.
Permanent redirects are impossible to control once set.
Permanent redirects are interpreted differently per browser, and can sometimes be influenced by the Expires:
-header.
However, forgetting to set this is easy, and most browsers will keep it, well, permanently cached. Some even when clearing the local cache.
Additionally, you do not have any control over the browser of your visitor, and you will not be able to undo the damage if you messed up your redirect (or change your mind).
You do not need to use a permanent redirect, so don't. If you believe you really do need a permanent redirect, read on..
Temporary redirects: 302 vs 307
302's are the most common, 307 are fairly new. 302's allow changing the request method, 307 does not.
This behaviour is important to note. Imagine the following:
A user is logged in to your site. They want to change something in their profile, or upload an image, etc. When they submit the form, it gets POSTed to your website. However, your website detects that the user's session was invalidated and redirects to the login form.
What happens next depends on the 302 or 307. With a 302, that redirect will work fine. With a 307, the request method changes from POSTing the form, to GETing a login form, which is forbidden by the 307 code. The website breaks.
So for common use, it's probably safer to keep using 302 redirects over 307's.
Keeping search engine page ranking.
In the past, you were required to use 301 redirects to avoid getting punished by search engines. This is no longer the case!
When you publish content on your website, Google and other search engines will index it, and the more popular a page becomes, the higher its ranking in the search results.
This will generate more and more traffic for your website, and thereby often increase revenue.
The problems lies in revising your website. If you want to replace your CMS, or otherwise have something that will involve changing the URL of said page, you can lose its ranking (with all consequences of it).
To avoid losing your ranking, make sure the full old URL redirects to the new URL of the same exact page with a redirect
Single pages only, page by page. Do not redirect everything to one new page (like the main site URL) or it'll backfire on you. Search engines will, if you did it correctly, update their location of the page and will keep its ranking in place. Regardless of it being 301 or 302.
http:// to https:// redirecting
The same as with the site to site redirecting above. Do NOT use 301 to redirect from http:// to https://. There is a much better, healthier way. Many search engines, like Google, prefer https:// anyway. So the "Good implementation" example doesn't count when redirecting from http:// to https://!
Use a temporary redirect (302 or 307), combined with setting a HSTS-header on the https://-port instead.
Why? Well, HTTP Strict Transport Security headers:
- Can be influenced remotely!
Browsers will reset the remaining cache time of the header to the current value sent by the webserver.
A value of 0 will remove the HSTS-setting from the browser entirely, as if it was never there. - Will make sure that the browser will -during the cache of the HSTS- not go to http:// even if the user asks for it.
- It will make sure that https:// is enforced. No more hits will be done to your http://-version.
- Will boost your Google search engine rankings. HSTS is checked for seperately and rewarded!