curl -I -o /dev/null -w "%{http_code}" https://example.com
HTTP 301 Moved Permanently signals that the requested resource has been moved to a new URL permanently and that all future requests should use the new URL. The new URL is provided in the Location response header. Clients (browsers, search engines) update their references to the new URL; subsequent requests go directly to the new location.
301 is critical for SEO because search engines treat it as "the canonical URL has changed" — link equity and ranking signals transfer to the new URL. The wrong choice between 301 (permanent) and 302 (temporary) can cause significant SEO damage: using 302 for a permanent move means search engines keep the old URL in their index and do not transfer ranking; using 301 for a temporary move can cause the old URL to be permanently lost from the index.
From a security perspective, 301 redirects can be exploited via open redirect vulnerabilities (attacker controls the redirect destination, used in phishing campaigns to disguise malicious URLs as legitimate ones). HTTP-to-HTTPS upgrades typically use 301 to permanently move users to the secure version. Misconfigured redirect chains (301 to 301 to 301) cause performance and crawl-budget issues.
After enabling HTTPS, redirect all HTTP requests to HTTPS with a 301 (permanent move). Search engines update indexed URLs to https://; browsers cache the redirect. Combined with HSTS header on the HTTPS responses, eliminates the HTTP version entirely.
When changing URL structure (moving content, renaming pages, consolidating sections), 301 from old URLs to new URLs preserves SEO value and prevents broken links. Maintain redirect maps; do not just delete old URLs.
Moving from old-domain.com to new-domain.com — set up 301 from every old URL to its corresponding new URL. Search engines transfer rankings to the new domain. Maintain the redirects long-term (years) — search engines and bookmarks slowly update.
Multiple URLs serving the same content (with/without www, with/without trailing slash, with/without query parameters) should 301 to one canonical version. Prevents duplicate-content SEO issues. Use the rel=canonical link element AND the 301 redirect for redundancy.
Bug bounty hunters specifically test for open redirects in URL parameters. Typical pattern: find URL parameters in the application that look like they might be redirect targets (returnUrl, next, redirect, continue), set them to attacker-controlled URL, observe whether the application redirects without validation. Standard finding for many programs.
Search engines treat 302 as "temporary, keep old URL indexed". Using 302 for a permanent move keeps the old URL ranked instead of transferring rankings to the new URL. Most CMS and frameworks default to 302 unless explicitly told otherwise.
Each redirect adds latency (extra round trip). Search engines have crawl-budget limits — long chains waste budget. CDNs and browsers may stop following at 5+ redirects. Audit for chains; consolidate to single redirects.
A redirect that strips query parameters loses tracking, search context, and authentication tokens. Default to preserving query parameters unless there is a specific reason to remove them.
Code that redirects to a URL provided in a parameter without validation enables phishing attacks. Validate against allowlist or use relative URLs only.
Changing URLs without setting up redirects breaks all external links and bookmarks. Search rankings suffer. Always plan redirect maps when changing URL structure.
Mobile-specific or browser-specific redirects can be bypassed by changing User-Agent. Do not depend on User-Agent-based redirects for security; use them only for UX (mobile site vs desktop site).
Redirect 301 /old-page /new-page. Nginx: return 301 /new-page; in location block. WordPress: Redirection plugin or RankMath/Yoast redirects. Code: HTTP response with status 301 and Location header.return 301 https://$host$request_uri;. Combine with HSTS header on HTTPS responses to enforce HTTPS for future connections.