What is a redirect chain?
A redirect chain is a sequence of HTTP redirects from an initial URL to a final destination. This guide explains how redirects work, their legitimate uses, and why chain depth matters for security investigations.
3 min read
What it is#
A redirect chain is a sequence of HTTP redirects that moves a client from an initial URL through one or more intermediate URLs before reaching a final destination. Each hop in the chain is triggered by an HTTP response with a 3xx status code and a Location header pointing to the next URL. Understanding redirect chains is foundational for analyzing malicious redirect chains used in phishing and fraud campaigns.
How redirects work#
When a server returns a redirect response, the client (browser, crawler, or HTTP library) follows the Location header to the next URL. The most common redirect status codes are:
- 301 (Moved Permanently). The resource has permanently moved to a new URL. Browsers cache this redirect.
- 302 (Found). A temporary redirect. The client should continue using the original URL for future requests.
- 307 (Temporary Redirect). Like 302, but explicitly preserves the HTTP method (GET stays GET, POST stays POST).
- 308 (Permanent Redirect). Like 301, but preserves the HTTP method.
A redirect chain forms when the destination of one redirect is itself a redirect. For example: URL A → 302 → URL B → 301 → URL C → 200. The chain has two hops and three URLs.
Legitimate uses#
Redirect chains are common in normal web infrastructure.
URL shorteners like bit.ly redirect from a short URL to the full destination. Marketing platforms insert tracking redirects to measure click-through rates before forwarding users. CDN and load balancer routing may redirect users to region-specific servers. HTTPS enforcement typically uses a 301 from http:// to https://. Domain migrations redirect old URLs to their equivalents on a new domain.
Client-side vs server-side redirects#
Server-side redirects (3xx status codes) are handled at the HTTP level and are visible in network traffic. Client-side redirects use HTML meta refresh tags or JavaScript (window.location) to move the browser to a new location. Client-side redirects do not produce 3xx responses, making them harder to trace with standard HTTP tools. Attackers may mix both types to complicate analysis.
Chain depth in investigations#
Most legitimate redirect chains are short, one or two hops. Chains with three or more hops, especially those crossing multiple unrelated domains, warrant scrutiny. Each hop adds a domain that must be investigated, and long chains are a hallmark of traffic distribution systems, affiliate fraud, and phishing infrastructure. This pattern is a key focus of threat intelligence analysis.
When following redirect chains during investigations, tools should record every URL, status code, and response header at each hop (see HTTP banners for how response metadata is used more broadly). Automated crawlers typically set a maximum redirect limit (browsers typically cap at around 20) to avoid infinite loops.
More from Threat intelligence
View allDomain threat intelligence
Domain threat intelligence is the collection and analysis of signals from domain registrations, DNS, certificates, and hosting to detect abuse. This guide covers core data sources, enrichment workflows, and how domain threat intelligence supports incident response.
Malicious domain detection
Malicious domain detection combines registration signals, DNS behavior, content analysis, and reputation feeds to identify domains used for phishing, malware, or fraud. This guide covers detection approaches, scoring models, and false positive management.
What is certificate transparency?
Certificate Transparency (CT) is an ecosystem of public, append-only logs of issued certificates. Originally created to catch rogue certificates after high-profile CA compromises, CT logs have become an important source of threat intelligence for domain and subdomain monitoring.