Series - part 4 of 4

Ultimate Guide Understanding HTTP Status Codes – 300 Series


HTTP 300 status codes are reserved for redirects. Most redirects will be transparent to the end-user and are handled entirely by a user-agent.

This post is part of the The Hypertext Transfer Protocol - HTTP series

To better understand why redirects are so important it may be helpful to understand why a redirect would be used in the first place.

Redirects usually result from the change. This can be a change of computing resources, change in marketing terminology, change in policy, change in SEO strategy, or change in business operations. Somewhere, something has changed and requires the same URI to be accessible across a different location.

When changes are made search engines and other resources will possess the older links until a site is re-indexed.

The alternative to a redirect would be a 404 “document not found” error.

An extreme scenario forcing the need to redirect a user-agent would be a company reorganizing its product line. Let’s say, for example, ACME Co. moved the Widgets line to ACME Labs. Current ACME policy dictates web structure is of: acmeco/{division}/{productline}.

So ACME might have:

www.acme.com
www.acme.com/marketing/seotechnologies/
www.acme.com/marketing/billboards/
www.acme.com/consumergoods/sports/
www.acme.com/consumergoods/clothing/
www.acme.com/consumergoods/widgets/
www.acme.com/labs/widgets/
www/acme.com/labs/foobars/
www.acme.com/labs/betaproducts/

ACME Widgets has been located at www.acme.com/consumergoods/widgets/  for the past 5 years and gets tens-of-thousands of hits per hour at that location.

Can you imagine how much revenue this simple move could cost ACME Co. in lost sales, customer service responding to complaints, as well as executives answering the phone for official press statements to the beloved the Widget line?

What about search engines? A good portion of ACME Co. Widget sales is from search engine hits. Not to mention the Google Adwords campaign and URL on brochures and business cards.

A 300 series redirect can solve the problem for everyone at ACME C.. ACME can simply configure the web-server to redirect all requests asking for www.acme.com/consumergoods/widgets/ to www.acme.com/labs/widgets/.


Real Word Example of a 301 Redirect

At Euro VPS we use a 301 redirect assuring customers use the secured HTTPS protocol :

301 redirect to secure HTTPS

redirecting customers away from http://www.eurovps.com to https://www.eurovps.com

If you’d like, try copying then pasting http://www.eurovps.com/ into your web-broswer to and what happens. Spoiler: you will be redirected to HTTPS.

Here is exactly how the **301 Redirect **assures every visitor will access HTTPS when visiting EuroVPS:

  1. user-agent requests http://www.eurovps.com/
  2. web-server replies with a 301 status code
  3. the web-server sets a Locaton header to the https version
  4. most user-agents will automatically redirect to the new URL
Redirect when Location Header is not followed

a message is displayed for user-agents that do not honor the location header.

Redirects can be accomplished in scripting languages such as Python Django, PHP, and ASP .Net. However, a more robust solution is to leave redirects up to the web-server with a re-write rule.

Redirect in PHP:

  <?php // Permanent 301 Redirect via PHP
  	header("HTTP/1.1 301 Moved Permanently");
  	header("Location: https://eurovps.com/");

The problem with doing redirects at this high layer is that we could end up editing 100 pages! Or even worse, hacking up code in a content management system that may not do redirects as we would like.

A much more eliquent solution is to have the websever do all the redirecting for us.

In Apache redirects could be done as follows:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=301,L]

The above re-write rule will make sure every request uses HTTPS for the entire site.

We now know why 300 Redirects are useful. Let’s explore the most common 300 Redirects that are likely to be encouter on the world wide web.


Stats Code 300 Redirects

300 – Multiple Choices

300 Multiple Choices is a redirect that is seldomly used in the real world. 300 Multiple Choices is encountered when a requested resource points to multiple destinations for the same requested document. A choice of action is presented to the end-user allowing them to select the choice desired.

301 – Moved Permanantly

One of the more common redirects used on the world wide web today. Moved Permenantly was used in each introductoy example begining this section.

301 Redirects are so common because of the way they are handled by Google. When Google updates a site index and notices the 301 Redirect, its spiders will attempt to update the site index and previos page rankings will be restored with little fluctuation.

Euro VPS Google Index

Doing a search for Euro VPS “/”* shows all pages were properly indexed following the 301 Redirect to HTTPS. When encountering a 301 Redirect bookmarks and automated user-agents should be updated to the new URI.

302 – Found

302 redirects should be used when a requested URI is temporarliy at a new location. Like the 301 Redirect – when the GET method is used, a 301 will provide means for the user-agent to be sent to the temporary URI location.

Unlike the 301 redirect user-agents should still continue using the URI pointing to the redirect – it is a temporary redirect.

303 – See Other

The 303 Redirect is a little different than each redirect we have discussed to this point. 303 is mainly for POST and PUT requests that are taken to a different URI than originally requested by the user-agent in its POST or PUT request.

An example could be when uploading a larger file that may take a few minutes:

  1. user-agent submits a large file using PUT or POST
  2. the file is destined to the original URI
  3. web-server returns a 303 redirecting to an upload status page
  4. user-agent will use GET via 303, requesting an upload status page

304 – Not Modified

The 304 Not Modified is used for caching purposes. 304 is sent as a status to a user-agent requesting a check on current status of a cached page.

If the page requsted is still current the user-agent is sent a 304. The user-agent will then forward its cached copy to be viewed by the end-user.

304 Redirect

Above is a check on a cached javascript file.

305 – Use Proxy

This status code is not used often .A 305 Redirect let’s the user-agent know a resource must be accessed thru a proxy server. The 305 should also return a proxy in the Location field.

A good example of when a 305 could potentialy be used in the real-world is a website using a reverse proxy to filter application-layer attacks like SQL injection with IPS filters deployed on the reverse proxy.

The host-name of the web-server could be www.acmeco.com. The physical, routable Internet facing IP address might be 192.168.1.129 (we use IP blocks non-routable over the internet to avoid using a real ip address that could be in service for examples).

However DNS could point to: 192.168.34.12, with reverse DNS resloving to webfilter.reverseproxy-provider.net. When the request is sent to www.acmeco.com it is first passed transparently thru the reverse-proxy to filter for web-bots, appliation layer attacks, and DOS attacks.

What if the attacker can figure out hops along the route. The the attacker can see the destination server is really 192.168.1.129?

After firing off an HTTP request with an SQL payload to the listening web-daemon on 192.168.1.129 a **305 Use Proxy ** is returned forcing the user-agent to re-direct through the reverse-proxy. Not allowing any access to the underlying web-application.

Most web browsers will not obey a 305 Redirect for security reasons. In the above example, this would still be 100% acceptable to the outcome of protecting the web-application. Because legitimate users will be using www.acmeco.com and letting traffic route through the reverse proxy with IPS filters.

Again, above is a hypothetical scenario where a 305 Redirect may work well. However, the 305 is not seen too often in the real world.

307 – Temporary Redirect

The 307 is similar to the 302 but requires the same request method be used on the redirected URI. This would be used, for example, when a POST request needs to be sent to another URI.

With a 302 a GET request should be used to obtain the redirected URI.

Next.

Ultimate Guide to Understanding HTTP Status Codes – 400 Series. 400 series request codes deal with malformed and unserviceable requests from a user-agent. Whenever a 400 series is encountered the problem is usually on the client side.
Read More