curl -I -o /dev/null -w "%{http_code}" https://example.com
HTTP 302 Found (originally "Moved Temporarily") indicates the resource is temporarily at a different URL — clients should use the temporary URL for this request but continue using the original URL for future requests. The original URL is the canonical one; this is a temporary detour.
302 is the most-used redirect code in modern web applications because most frameworks default to it for things like post-login redirects, OAuth flows, and any "send the user somewhere after this action" pattern. The semantic meaning ("temporary") is often ignored by developers — many 302 redirects are actually permanent moves that should be 301. The wrong choice has SEO implications.
For SEO, 302 keeps the original URL in the search index and does not transfer ranking to the destination. This is correct for genuinely temporary redirects (maintenance pages, short-term campaigns) but wrong for permanent moves (use 301 instead). HTTP/1.1 also defines 307 (Temporary Redirect) which is more strictly defined than 302 — some applications prefer 307 for clarity.
After processing a POST request, redirect to a GET request for the result page (302 or 303). Prevents form re-submission on browser refresh. Standard web application pattern; the redirect itself is temporary (just for this submission flow), not a permanent URL change.
Login pages typically 302-redirect to a destination URL after successful authentication (returnUrl parameter or default landing page). OAuth flows have multiple 302 redirects between identity provider, application, and back. All temporary by nature — the URLs continue to exist for future logins.
During scheduled maintenance, 302-redirect all requests to a maintenance page. Use 302 (temporary) so search engines do not de-index your URLs while maintenance is in progress. After maintenance, redirects are removed and original URLs return.
Some A/B testing frameworks 302-redirect users to different variant URLs. Temporary by definition; the variants are alternatives being evaluated, not permanent URL changes.
Same vulnerability class as 301 open redirects — applications taking URL parameters and 302-redirecting to them without validation enable phishing attacks. The status code (301 vs 302) does not matter for the attack; the lack of validation is the issue.
Most web frameworks default to 302 for redirects. Developers using return redirect("/new-url") get 302 unless explicitly choosing 301. For permanent moves (URL restructuring, HTTPS migration, domain change), this loses SEO value.
Same vulnerability class as with 301. Validate destinations against allowlist; do not redirect to arbitrary URLs from user input.
Multiple temporary redirects in sequence cause performance issues and confuse search engines about canonical URL. Consolidate to single redirects.
Monitoring tools track redirect ratios. Sudden shift from 200 to 302 might indicate a real issue (broken handler returning redirect) or might be intentional (new redirect added). Track redirect responses by intentional vs unintentional.
303 See Other: forces GET on the redirect destination (specific to POST/Redirect/GET). 307 Temporary Redirect: preserves the original method (POST stays POST). 302 historically had ambiguous behaviour that 303 and 307 clarify. For new code, prefer 303 or 307 over 302 when the semantic difference matters.
302 responses are not cached by default (can be overridden with Cache-Control). If you have intermittent issues with stale 302 redirects, check for unexpected Cache-Control headers being added by intermediate caches or CDNs.
Redirect 302 /old-page /new-page. Nginx: return 302 /new-page;. Code (PHP): header("Location: /new-page", true, 302); exit;. Most web frameworks default to 302 for the standard "redirect" action.curl -I -L https://example.com/path shows redirect chain with status codes for each hop. Online tools like httpstatus.io check redirect chains.