HTTP Redirect Checker

Trace a website's full redirect chain across all four entry points — HTTP and HTTPS, www and non-www. Verify HTTPS upgrades, detect redirect loops, and confirm all variants converge on a single canonical URL.

What are HTTP redirects?

An HTTP redirect is a server response that tells the browser or search engine to navigate to a different URL. When a server returns a 3xx status code along with a Location header, the client automatically makes a new request to the destination. The original URL is effectively forwarded.

Redirects are used to upgrade plain HTTP traffic to HTTPS, to consolidate www and non-www variants onto a single canonical URL, to handle domain migrations, and to preserve old URLs when site structure changes. When configured well, redirects are invisible to users. When misconfigured, they cause loops, broken pages, or slow load times.

Why test all four variants? A visitor might type http://example.com, https://example.com, http://www.example.com, or https://www.example.com. A well-configured site handles all four gracefully, redirecting each to the same canonical URL. This tool tests all four simultaneously to surface any inconsistencies.

301 vs 302 vs 307 vs 308 — which redirect type to use

The HTTP status code in a redirect determines whether it is permanent or temporary, and whether the browser preserves the original request method. Choosing the wrong type can hurt performance, SEO authority, or browser caching behavior.

CodeTypeMethod Preserved?Browser Caches?Use For
301 Moved Permanently No (GET/HEAD only) Yes HTTP → HTTPS, domain migrations, permanent URL changes
302 Found (Temporary) No No Temporary redirects only (maintenance, A/B tests)
307 Temporary Redirect Yes No Temporary redirect where method must be preserved (e.g. POST)
308 Permanent Redirect Yes Yes Permanent redirect where method must be preserved

For standard HTTP → HTTPS and www canonicalization redirects, 301 is the correct choice. It is permanent, browser-cached, and transfers SEO authority to the destination. Use 302 or 307 only when the redirect is genuinely temporary.

What "browser cached" means

When a browser receives a 301, it stores the redirect mapping. On the next visit to the original URL, the browser skips the HTTP request entirely and goes directly to the destination. This removes one full round-trip from the page load, which matters especially on mobile networks. 302 and 307 are never cached — the browser always re-fetches and follows them.

SEO authority transfer

A 301 redirect transfers essentially all link equity ("PageRank") from the old URL to the new URL. This is important for domain migrations and HTTPS upgrades — links pointing to the old URL count toward the new URL's ranking. A 302 redirect does not reliably transfer authority. Google may continue treating the old URL as canonical if it sees 302s instead of 301s.

Why HTTP → HTTPS redirects matter for security

When a user types a domain name without a protocol prefix, or follows an old http:// link, the browser sends a plain, unencrypted HTTP request first. Without a redirect, the server might respond over plain HTTP — exposing the user's session to eavesdropping on public Wi-Fi or corporate networks.

An HTTP → HTTPS redirect ensures all traffic is automatically upgraded to TLS. The server responds to the HTTP request with a 301 and the browser immediately re-requests the page over HTTPS. This is the first line of defense for enforcing encryption, and it works even before HSTS has been established.

Enable in Nginx

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://$host$request_uri;
}

Enable in Apache

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  Redirect 301 / https://example.com/
</VirtualHost>

In Cloudflare, enable Always Use HTTPS under SSL/TLS → Edge Certificates. This forces all HTTP traffic to HTTPS at the CDN level before it reaches your origin.

How HTTP redirects relate to HSTS

HTTP redirects and HSTS (HTTP Strict Transport Security) are complementary mechanisms — they solve the same underlying problem at different layers, and a well-configured site should use both.

HTTP redirect

A 301 from http:// to https:// upgrades the connection for users who arrive over HTTP. It works immediately from the very first visit, but it requires one HTTP request before the HTTPS connection is established. During that brief HTTP request, an attacker on the same network can theoretically intercept traffic — an SSL stripping attack.

HSTS

HSTS is a response header served from HTTPS: Strict-Transport-Security: max-age=31536000. After a browser receives this header, it caches the instruction and refuses to make HTTP requests to the domain for the duration of max-age — the browser upgrades the connection itself, before any HTTP request is sent. This closes the SSL stripping window that HTTP redirects leave open.

Best practice: Use both. A 301 HTTP → HTTPS redirect handles first-time visitors and old links. HSTS ensures that returning visitors never touch HTTP at all. The HSTS preload list takes this further: browsers ship with a list of domains that are always treated as HTTPS-only, before any connection is made. Check your HSTS configuration with the Security Headers Checker.

What causes redirect loops and how to fix them

A redirect loop occurs when a URL's redirect chain never terminates — URL A redirects to URL B which redirects back to URL A, or through a longer cycle. Browsers detect this and show "ERR_TOO_MANY_REDIRECTS". No page is loaded; the site is effectively broken for that URL variant.

Common causes

  • Conflicting www rules: origin redirects www → non-www but CDN redirects non-www → www.
  • HTTPS loop: redirect rule fires on HTTPS requests too, not just HTTP — so the HTTPS destination redirects to itself.
  • CMS misconfiguration: WordPress, Drupal, or another CMS has a site URL set to HTTP but the server forces HTTPS.
  • Cloudflare + origin mismatch: Cloudflare SSL set to "Flexible" (terminating TLS at edge) while origin sends its own redirect to HTTPS.

How to debug

  1. Test each of the four URL variants individually (this tool does this automatically).
  2. Check your web server config, CDN rules, and .htaccess files for conflicting redirect directives.
  3. In Cloudflare: check Page Rules and Redirect Rules for anything that might catch the destination URL.
  4. Add a condition to your HTTP → HTTPS rule: if ($scheme = "http") in Nginx to prevent the rule from firing on HTTPS connections.

Why excessive redirect chains hurt performance and SEO

Each redirect in a chain requires a complete HTTP request/response round trip — typically 50–300ms on a fast connection, more on mobile networks. A chain with 4 hops adds 200ms–1,200ms of latency before the page even starts loading. Google has confirmed that redirect chains longer than 5 hops may be cut off by the crawler entirely.

Chains grow over time through accumulated redirect rules. A URL restructuring adds one hop, a domain migration adds another, and an HTTPS upgrade adds another — and suddenly http://old-domain.com/page requires 4 hops to reach the canonical URL.

Fix: Whenever you add redirect rules, check whether intermediate hops can be eliminated. The target URL for any redirect should always be the final canonical destination, not another URL that itself redirects. This is called "redirect chain compression."

Canonical URLs and www vs non-www

A canonical URL is the single, authoritative version of a page that you want search engines and users to use. For most sites, this means all four URL variants (http/https × www/non-www) should ultimately redirect to the same URL — for example, all of http://example.com, https://example.com, http://www.example.com, and https://www.example.com should resolve to https://example.com/ (or https://www.example.com/ if you prefer www).

If both www and non-www serve the same content independently (without redirecting), search engines see them as separate sites. Link equity is split between them, duplicate content penalties may apply, and crawl budget is wasted. Choosing one and redirecting the other is straightforward and has a meaningful SEO benefit.

Non-www canonical (Nginx)

server {
  listen 80 default_server;
  server_name example.com www.example.com;
  return 301 https://example.com$request_uri;
}
server {
  listen 443 ssl;
  server_name www.example.com;
  return 301 https://example.com$request_uri;
}

www canonical (Apache)

# Redirect all http to https://www
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.example.com%{REQUEST_URI} [L,R=301]

Frequently asked questions

What is an HTTP redirect?

An HTTP redirect is a server response that forwards the browser to a different URL. The server responds with a 3xx status code (e.g. 301, 302, 307, 308) and a Location header containing the new URL. The browser then requests the new URL automatically. Redirects are used to upgrade HTTP to HTTPS, consolidate www and non-www, preserve old URLs after restructuring, or forward old domains to new ones.

What is the difference between a 301 and 302 redirect?

A 301 (Moved Permanently) tells browsers and search engines the URL has permanently moved. Browsers cache 301s — on future visits to the original URL, the browser goes directly to the destination without a network request. Search engines transfer link authority to the new URL. A 302 (Found) is a temporary redirect — browsers do not cache it and refetch the redirect on every visit, adding latency. Search engines may not transfer authority. Use 301 for HTTP → HTTPS upgrades and permanent URL changes. Use 302 only for genuinely temporary situations like maintenance pages or A/B tests.

What is a redirect loop and how do I fix it?

A redirect loop occurs when URL A redirects to URL B which redirects back to URL A (or through a longer cycle). Browsers detect this and show ERR_TOO_MANY_REDIRECTS — the page is completely unreachable. Common causes: conflicting www ↔ non-www rules that fire in both directions, HTTPS redirect rules that accidentally also fire on HTTPS requests, or a CDN rule that conflicts with the origin server's redirect. Fix: test each of the four URL variants, trace where each redirect rule applies, and add conditional logic (e.g. if ($scheme = "http")) to prevent rules from firing on the wrong protocol.

What is the difference between an HTTP redirect and HSTS?

HTTP redirects (e.g. 301 from http:// to https://) upgrade the connection for users who arrive over HTTP by sending them to the HTTPS version. This requires one HTTP request before the HTTPS connection is established. HSTS (HTTP Strict Transport Security) is a response header that tells browsers to always use HTTPS for the domain in future — the browser upgrades the connection itself before sending any HTTP request, eliminating the exposure window. Use both: 301 redirects for first-time visitors, HSTS to protect returning visitors completely.

How many redirects is too many?

Best practice is 2 hops or fewer per entry point. Each hop adds a full HTTP round-trip of latency (typically 50–300ms on a fast connection, more on mobile). Chains longer than 3 hops noticeably slow down first-page load. Search engines may stop following chains longer than 5 hops. If your chain is longer than 2 hops, audit your redirect rules and collapse intermediate steps. Every redirect rule's target URL should be the final canonical URL, not another URL that itself redirects.

Should I use www or non-www as my canonical domain?

Either is fine — consistency is what matters. Choose one and redirect all other variants to it with a 301. Non-www (example.com) is slightly simpler to type and is increasingly common for new sites. www (www.example.com) has a historical advantage for HSTS preloading — you can set the HSTS includeSubDomains directive on the www subdomain without affecting other subdomains. If you already have a site with www or non-www established, keep it and redirect the other — changing canonical URLs disrupts existing backlinks and search rankings.

What is an HTTPS → HTTP downgrade redirect and why is it dangerous?

An HTTPS → HTTP downgrade occurs when https://example.com redirects to http://example.com. This removes the user's encryption exactly when they are already using the secure URL, exposing the session to interception. A user who typed https:// or followed an HTTPS link ends up on unencrypted HTTP. This is a serious security misconfiguration. It is usually caused by a redirect rule that fires on all requests regardless of protocol, or a server that only serves content on port 80 and redirects HTTPS requests to HTTP.

Why does this tool test four URL variants?

Users arrive at a domain in multiple ways: direct typed entry (often without https://), bookmarks, old HTTP links, email links, and search engine results. Each of the four variants (http://domain, https://domain, http://www.domain, https://www.domain) may have a different redirect path configured. Testing all four reveals inconsistencies — for example, http://domain upgrades to HTTPS correctly but http://www.domain does not, or www and non-www converge on different final URLs. A score is only meaningful when all four paths are tested together.

Security Headers Checker
Analyze HTTP security headers including HSTS, CSP, X-Frame-Options, and more. Get a security score and fix recommendations.
SSL/TLS Certificate Checker
Inspect HTTPS certificates, check expiry dates, validate certificate chains, and verify HSTS configuration.
DNS Lookup
Query all DNS record types for any domain — A, AAAA, MX, TXT, CNAME, NS, and more.
Domain Intelligence Scanner
Comprehensive domain scan covering DNS, WHOIS, SSL, DNSSEC, IP reputation, and more in one report.