Page 1 of 1

HOW TO: Check server redirects

Posted: Tue Sep 09, 2014 9:08 am
by Albert Wiersch
When I was moving a couple of sites to all HTTPS with the "www" prefix, I had to set up some Apache server redirects.

When testing the redirects, I found it useful to use CSE HTML Validator's 'Open from the Web' feature that lets you fetch a URL for validating. The progress window will show you the client/server communication and you can see if the redirect is being properly done with the proper status code, as well as check the other HTTP headers.

NOTE: You can check redirects with the free lite edition if not using HTTPS. HTTPS requires the standard or higher edition (download a free trial).

Sometimes you will notice that a redirect works, but there's many of them. You can use this to optimize the redirecting so that only 1 redirect is required (or at least fewer of them are).

As a simple example I tried opening to see if it would properly (and as expected) redirect to HTTPS from HTTP.

In the progress window, you can see the first request to the server in this line (requests, and their headers, sent to the server start with "Command>"):

Code: Select all

Command> GET /download/ HTTP/1.1
The server then includes these two lines in the response (among other headers; headers sent from the server start with "Header>")):

Code: Select all

Header> HTTP/1.1 301 Moved Permanently
Header> Location:
You can see here that the server is sending a header that says the request URL has permanently moved to

The progress window should then show this "Location>" line:

Code: Select all

Location> Changing to:
The request continues with another request to the server, but this time using HTTPS:

Code: Select all

Command> GET /download/ HTTP/1.1
And the server responds with the desired document and it is opened in the editor. There was only one redirect so that is what I expected.

If there was another redirect, then you could follow it. Ultimately a chain of redirections should get the user to the right spot, but the fewer redirections, the better.

On a related note, I also configured my Apache webserver to send this header with HTTPS requests:

Code: Select all

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
In the progress window, I saw this line:

Code: Select all

Header> Strict-Transport-Security: max-age=31536000; includeSubDomains
Which means that the header was being added as expected. For more information on that header you can go here: ... t_Security

I realize such a header is likely not to be important for a site like, but I thought that it couldn't hurt.