By apipark — 17 Dec 2025

Mastering `curl` Follow Redirect: A Step-by-Step Guide

curl follow redirect

The internet, in its vast and intricate design, is a dynamic landscape where resources frequently shift location. Web pages move, api endpoints evolve, and services migrate between servers. In this ever-changing environment, HTTP redirects serve as crucial signposts, guiding clients from an old or temporary location to a new, definitive one. For developers, system administrators, and anyone who regularly interacts with web services and apis from the command line, understanding and controlling how their tools handle these redirects is not just a convenience—it's an absolute necessity.

Among the pantheon of command-line utilities, curl stands as a titan. Revered for its unparalleled versatility and robust feature set, curl is the go-to tool for transferring data with URLs, supporting a plethora of protocols. Whether you're fetching a webpage, debugging an api call, or pushing data to a remote server, curl is likely your first choice. However, its default behavior regarding redirects can often be a source of confusion or unexpected results for the uninitiated. By default, curl does not automatically follow redirects, preferring to give the user explicit control over this process. This design choice, while initially surprising to some, empowers users with a level of precision and insight crucial for complex web interactions and thorough debugging.

This comprehensive guide aims to demystify curl's redirect-following capabilities, transforming you from a casual user into a master of its redirect-handling options. We will embark on a detailed journey, starting with the fundamental concepts of HTTP redirects, moving through curl's basic and advanced redirect features, and culminating in practical scenarios and best practices. We'll explore the nuances of HTTP status codes, delve into how curl interprets and acts upon these signals, and demonstrate how to wield its powerful options like --location (-L), --max-redirs, and --write-out to gain granular control over the redirect process. Furthermore, we will contextualize these functionalities within the broader ecosystem of web services and api management, demonstrating their critical role when interacting with modern api architectures, including those safeguarded and managed by sophisticated api gateway solutions. Prepare to unlock a deeper understanding of curl, enhancing your ability to interact with the web with confidence and precision.

Part 1: The Fundamentals of HTTP Redirects

Before we delve into curl's specific mechanisms, it's paramount to grasp the underlying principles of HTTP redirects. These are not merely server-side whims but standardized instructions within the HTTP protocol, designed to guide clients (like web browsers or curl) to a new resource location.

What is a Redirect?

At its core, an HTTP redirect is a server's response indicating that the resource requested by the client is no longer available at the original URL or that it should be accessed at a different URL for various reasons. Instead of serving the content directly, the server sends back a special HTTP status code (in the 3xx range) and a Location header, which contains the URL of the new resource. The client then, if configured to do so, makes a new request to this new URL. This process can happen once or form a chain, where one redirect leads to another, eventually resolving to the final resource.

Consider a scenario where a website owner decides to change the URL structure of their blog posts. Instead of breaking all existing links, they implement redirects. When an old URL is requested, the server responds with a redirect, pointing the client to the new, updated URL. This ensures a seamless experience for users and maintains the integrity of web links. Similarly, in the world of apis, a service might be moved to a different subdomain, or a specific version of an api might be deprecated, with all requests being redirected to a newer version.

HTTP Status Codes for Redirects

The HTTP protocol defines a range of 3xx status codes, each conveying a slightly different meaning and implying specific client behaviors, especially concerning how request methods (like GET, POST) should be handled. Understanding these distinctions is crucial for robust web interactions.

301 Moved Permanently: This is the definitive "moved house" sign. A 301 status code indicates that the requested resource has been permanently assigned a new URI. Any future references to this resource should use one of the returned URIs. Clients (like browsers and curl when following redirects) are expected to automatically redirect to the new URL specified in the Location header. Importantly, for GET requests, the method typically remains GET. For POST requests, historically, some clients might change the method to GET on the subsequent request, though the RFCs allow for preserving POST, leading to inconsistencies. Modern curl tries to preserve the method for 301 POSTs unless explicitly told otherwise or if Location suggests a GET. This is critical for apis, where a POST to a permanently moved endpoint should ideally still be a POST to the new location.
302 Found (formerly Moved Temporarily): The 302 status code signifies that the resource resides temporarily under a different URI. The client should continue to use the original URI for future requests. Historically, this status code was often misapplied, with many user agents implementing it as a 303 "See Other," meaning they would switch the method to GET for the subsequent request, even if the original was a POST. This behavior, though common, was not strictly in line with early RFCs. Due to widespread browser behavior, it's often treated as changing a POST to a GET, which can be problematic for api interactions where the method must be preserved.
303 See Other: This redirect explicitly instructs the client to retrieve the requested resource using a GET request at a different URI. It is primarily used to redirect the client after a POST request, preventing the user from refreshing the page and resubmitting the form. This is the clearest instruction for a client to change the request method from POST to GET for the subsequent request to the Location header. When apis use this, it often signals a successful operation that results in a resource that can then be viewed with a GET.
307 Temporary Redirect: Introduced in HTTP/1.1, the 307 status code is similar to 302, indicating a temporary redirect. The key distinction is that the client must not change the request method when reissuing the request to the Location URI. If the original request was a POST, the subsequent request must also be a POST. This addresses the ambiguity and non-standard behavior often associated with 302, providing a clear directive for method preservation during temporary redirects. This is vital for api developers who need to ensure the integrity of POST, PUT, or DELETE operations across redirects.
308 Permanent Redirect: Added in RFC 7538, the 308 status code is the permanent counterpart to 307. It's similar to 301 but with the crucial difference that the client must not change the request method when reissuing the request to the Location URI. If the original request was a POST, the subsequent request must also be a POST to the new permanent location. This clarifies the behavior for permanent redirects, ensuring method preservation and addressing the historical ambiguities of 301 with non-GET requests.
Other 3xx Codes (Less Common/Deprecated):
- 300 Multiple Choices: The requested resource has multiple representations, each with its own specific location. The client (or user) can choose among them. Rarely used by automated tools.
- 304 Not Modified: Not a redirect in the sense of sending to a new URL, but an instruction to the client that the cached version of the resource is still valid.
- 305 Use Proxy: The requested resource must be accessed through the proxy given by the Location field. Deprecated due to security concerns.
- 306 (Unused): No longer used, was previously "Switch Proxy."

How Redirects Work: Client-Server Interaction

The redirect process is a delicate dance between the client and the server. 1. Client Request: A client (e.g., curl) sends an HTTP request for a resource at http://example.com/old-path. 2. Server Response (Redirect): The server, instead of returning the resource, responds with a 3xx status code (e.g., 301) and a Location header: Location: http://example.com/new-path. 3. Client Processing: * If the client is configured to follow redirects, it extracts the new URL from the Location header. * It then constructs a new HTTP request to http://example.com/new-path. The method for this new request might be modified depending on the 3xx status code received (e.g., POST to GET for 303). * The original request's headers (excluding connection-specific ones) and body (if any) might be resent or modified. 4. New Server Response: The server at the new URL (or the original server, now serving the content from the new path) responds with the actual resource (e.g., a 200 OK status code and the content). 5. Client Receives Final Content: The client receives and processes this final response.

This multi-step process, often invisible to the end-user in a browser, is fundamental to how the web maintains its flexibility and resilience. For command-line tools like curl, this entire chain of events becomes explicitly visible and controllable, offering powerful diagnostic capabilities.

Why Redirects Are Used

Redirects are indispensable for a multitude of reasons across the web, from simple website maintenance to complex api routing.

URL Changes and Site Restructuring: When a website or api undergoes a redesign or restructuring, URLs often change. Redirects ensure that old links continue to work, preventing broken links (404 Not Found) and preserving search engine rankings.
Canonical URLs: Websites might be accessible via multiple URLs (e.g., http://example.com, http://www.example.com, https://example.com). Redirects consolidate these into a single "canonical" URL, which helps with SEO and avoids duplicate content issues.
HTTPS Enforcement: A common security practice is to redirect all HTTP traffic to HTTPS. When a user or an api client attempts to access http://secure-api.com/data, a 301 or 307 redirect might guide them to https://secure-api.com/data. This is a critical gateway security function.
Load Balancing and Server Migration: In large-scale deployments, requests might be redirected to different servers to balance load or during server maintenance/migration. An api gateway might use redirects to point clients to the least loaded backend service or to a temporary maintenance page.
Authentication and Authorization Flows: Complex authentication protocols like OAuth often involve multiple redirects between the client, authorization server, and resource server.
Temporary Resource Availability: A resource might be temporarily unavailable at its primary location and redirected to a mirror or backup. A 302 or 307 status code signals this transient change.
A/B Testing: Redirects can be used to direct a subset of users to an experimental version of a page or api endpoint for A/B testing purposes.

Understanding these foundational aspects of HTTP redirects provides the essential context for mastering curl's capabilities, allowing for more intelligent and effective command-line interactions.

Part 2: Introducing `curl` and Its Default Behavior

With a solid understanding of HTTP redirects, we can now turn our attention to curl itself, a utility whose power lies in its precise control over the HTTP protocol.

What is `curl`?

curl (Client for URLs) is a command-line tool and library for transferring data with URLs. Developed by Daniel Stenberg, it's open-source, highly portable, and incredibly versatile. It supports a vast array of protocols, including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, LDAP, LDAPS, DICT, TELNET, GOPHER, FILE, and more. This makes it an indispensable tool for almost any task involving network data transfer, from downloading files and interacting with web services to debugging network issues and testing api endpoints.

Unlike a web browser, which abstracts away much of the underlying HTTP interaction, curl exposes these details, giving users fine-grained control over every aspect of a request. This transparency is invaluable for developers who need to understand exactly what is happening at the HTTP layer, making it an essential companion for anyone working with apis, web servers, or network diagnostics.

Basic `curl` Usage

The most fundamental use of curl is to fetch the content of a URL, much like a minimalist web browser.

curl http://example.com

This command will send a GET request to http://example.com and print the raw HTML content of the page to your standard output (terminal). You can add options to this basic command to control various aspects, such as headers (-H), request methods (-X), data (-d), and, most pertinent to our discussion, redirect handling.

`curl`'s Default Behavior with Redirects

One of the most crucial characteristics of curl, and often a point of initial confusion for new users, is its default stance on HTTP redirects: curl does not follow redirects automatically.

When curl sends a request to a URL and the server responds with a 3xx status code (e.g., 301, 302, 303, 307, 308), curl will simply report that status code along with the response headers and body (which often contains a small message and the Location header). It will then terminate, without making a subsequent request to the new URL specified in the Location header.

Let's illustrate this with an example. Many websites redirect http requests to their https equivalent for security. Suppose http://google.com redirects to https://www.google.com.

curl http://google.com

If you run this command, you might expect to see Google's homepage. Instead, you'll likely receive output similar to this (though the exact content can vary):

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

What you see is the response from the original server, indicating a 301 redirect. To make this clearer, let's use the verbose flag (-v) to show the full request and response headers:

curl -v http://google.com

Output (simplified for brevity, actual output will be more detailed):

*   Trying 142.250.72.78:80...
* Connected to google.com (142.250.72.78) port 80 (#0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 04 Jan 2024 10:00:00 GMT
< Expires: Sat, 03 Feb 2024 10:00:00 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 220
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host google.com left intact

Notice the line < HTTP/1.1 301 Moved Permanently and the < Location: https://www.google.com/. curl receives this, prints it out, and then gracefully exits. It does not automatically make another request to https://www.google.com/. This behavior is crucial for debugging and understanding the exact path a request takes.

Why the Default is Not to Follow

This default behavior, while initially seeming less convenient than a browser's automatic redirect following, is a deliberate design choice with several important justifications:

Security: Automatically following redirects can expose a client to malicious redirects, potentially leading to unintended destinations, phishing sites, or even downloading unwanted content from unknown sources. By default, curl makes you aware of any redirect before proceeding. This is especially important when interacting with public apis, where unexpected redirects could indicate a compromised api gateway or endpoint.
Control and Transparency: Developers and system administrators often need to know the exact sequence of HTTP responses. curl's default behavior provides this transparency, allowing them to examine each redirect step, including the status code and Location header, to diagnose issues, understand api routing, or verify security policies. When interacting with an api gateway, understanding the initial redirect response can tell you a lot about how the gateway is processing your request before it even reaches the backend service.
Preventing Infinite Loops: Without limits, automatically following redirects could lead to infinite redirect loops, where servers redirect clients back and forth indefinitely. This would cause curl to hang or consume excessive resources. By default, curl stops at the first redirect, putting the onus on the user to decide how to proceed, or to set explicit limits.
Performance Considerations: Each redirect adds latency as it requires a new DNS lookup, TCP connection, and HTTP request. Automatically following an unknown number of redirects could significantly slow down operations, especially in automated scripts where performance is key.
Debugging Complex Architectures: In microservices environments or when an api is exposed through an api gateway or load balancer, redirects can be part of the complex routing logic. Observing each redirect step is vital for debugging how a request traverses the infrastructure. For example, an api gateway might issue a 307 redirect to an internal service, and knowing this helps verify the gateway's configuration.

While curl's default might seem less "user-friendly" at first glance compared to a web browser, it provides a powerful foundation for precise control, making it an indispensable tool for anyone who needs to fully understand and manage their HTTP interactions. The next part will explore how to explicitly enable and control this redirect following behavior.

Part 3: The `--location` (or `-L`) Option: Following Redirects

Having understood curl's default behavior of not following redirects, we now arrive at the core feature for enabling this functionality: the --location or its shorthand -L option. This single option transforms curl's behavior, making it automatically re-issue requests to new URLs specified in Location headers.

Enabling Redirect Following: `--location` (`-L`)

The -L flag instructs curl to follow any Location: header that the server sends as part of a 3xx redirect response. When curl encounters a 301, 302, 303, 307, or 308 status code, it will parse the Location header, extract the new URL, and then automatically initiate a new request to that URL. This process continues until a non-3xx status code is received (e.g., 200 OK, 404 Not Found, 500 Internal Server Error) or until a configured redirect limit is reached.

Let's revisit our http://google.com example, but this time with -L:

curl -L http://google.com

Now, instead of the 301 HTML message, you will likely see the full HTML content of Google's homepage (https://www.google.com). curl has silently performed the redirect for you.

To fully appreciate what's happening, combining -L with the verbose flag (-v) is incredibly insightful. This will show you each step of the redirect chain:

curl -L -v http://google.com

Abridged Output:

*   Trying 142.250.72.78:80...
* Connected to google.com (142.250.72.78) port 80 (#0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/  # <-- Here's the redirect instruction
< Content-Type: text/html; charset=UTF-8
... (other headers) ...
* Issue another request to this URL: 'https://www.google.com/' # <-- curl's internal action
* Closing connection 0
*   Trying 142.250.72.78:443... # <-- New connection, this time to HTTPS
* Connected to www.google.com (142.250.72.78) port 443 (#1)
* ALPN: offers h2,http/1.1
* Cipher: TLS_AES_128_GCM_SHA256
* HPMN: Negotiated HTTP/2 # <-- Often, HTTPS connections use HTTP/2
> GET / HTTP/2
> Host: www.google.com
> user-agent: curl/7.88.1
> accept: */*
>
< HTTP/2 200 # <-- Final successful response
< date: Thu, 04 Jan 2024 10:00:00 GMT
< expires: -1
< cache-control: private, max-age=0
... (other headers and HTML body) ...
* Connection #1 to host www.google.com left intact

From this verbose output, you can clearly see: 1. The initial request to http://google.com (port 80). 2. The server's 301 response with the Location header pointing to https://www.google.com/. 3. curl internally recognizes this, closes the first connection, and initiates a new request. 4. The new request is made to https://www.google.com/ (port 443), potentially using HTTP/2. 5. Finally, the server responds with a 200 OK, and curl displays the content.

This detailed view is incredibly powerful for debugging and understanding network flows, especially when dealing with complex api endpoints that might involve multiple redirects through an api gateway or load balancer.

How `-L` Works Internally

When -L is active, curl maintains an internal state machine that monitors the HTTP status codes. 1. Receive Response: After sending a request, curl reads the server's response, including the status code and headers. 2. Check for Redirect: If the status code is in the 3xx range, curl checks if the Location header is present. 3. Extract New URL: If Location is found, curl extracts the new URI. It handles both absolute URLs (e.g., https://example.com/new) and relative URLs (e.g., /new-path, which curl resolves against the original request's base URL). 4. Prepare New Request: curl then constructs a new request. Crucially, it re-evaluates the HTTP method (GET, POST, etc.) and potentially clears or modifies certain headers (e.g., Host header will be updated for the new domain). 5. Re-issue Request: The new request is sent to the extracted URL. 6. Loop or Terminate: This process repeats until a non-3xx status code is received, an error occurs (e.g., network failure), or the maximum number of redirects (which we'll discuss later) is exceeded.

Understanding HTTP Methods and Redirects with `-L`

The most intricate aspect of redirect following with curl -L involves how HTTP request methods are handled across different 3xx status codes. This is where a deep understanding of the HTTP specification, and curl's implementation, becomes vital for api development and testing.

GET Requests: For GET requests, curl -L will consistently use GET for all subsequent redirect requests, regardless of the 3xx status code. This is the most straightforward scenario.
POST Requests and Method Changes: This is where complexity arises.
- 301 Moved Permanently: Historically, for a POST request followed by a 301, many clients (including older browsers and curl versions) would change the subsequent request method to GET. This was due to the ambiguity in earlier RFCs and widespread browser behavior. However, RFC 7231 (HTTP/1.1 Semantics and Content) clarifies that a 301 can preserve the original method, but clients may change a POST to a GET. Modern curl (version 7.58.0 and later) attempts to preserve the POST method by default for 301 redirects, unless the Location header implies a GET. To explicitly force POST preservation for 301, you would use --post301 (though often not needed anymore with recent curl versions).
- 302 Found: Similar to 301, 302 historically caused widespread client behavior of changing a POST to a GET, despite RFCs allowing preservation. curl -L will change a POST to a GET for 302 redirects by default. If you need to preserve the POST method across a 302 redirect, you must use the --post302 option.
- 303 See Other: This status code explicitly mandates that the subsequent request must be a GET. Therefore, curl -L will always change a POST to a GET when encountering a 303. There is no curl option to override this, as it adheres strictly to the RFC.
- 307 Temporary Redirect: This status code explicitly mandates that the client must not change the request method. If the original request was a POST, the subsequent request must also be a POST. curl -L honors this and will preserve the POST method for 307 redirects.
- 308 Permanent Redirect: Similar to 307, this status code explicitly mandates that the client must not change the request method. curl -L will preserve the POST method for 308 redirects.

Summary of Method Handling for POST with -L (Default Behavior of Modern curl):

Redirect Code	Method Change	`curl` Default (`-L`)	Required Option for POST Preservation
301	May change to GET, but RFC allows preserving. Often changes.	Preserves POST by default (modern `curl`).	`--post301` (if needed for older `curl` or specific server interpretations)
302	Often changes to GET.	Changes to GET.	`--post302`
303	Must change to GET.	Changes to GET.	N/A (cannot override)
307	Must preserve original method.	Preserves POST.	N/A
308	Must preserve original method.	Preserves POST.	N/A

This table highlights a critical point: if you are sending a POST request to an api endpoint and anticipate a 302 redirect where the server expects the subsequent request to also be a POST (which is non-standard but does occur in some implementations), you must explicitly use --post302. Otherwise, curl -L will default to sending a GET request, which could lead to incorrect api behavior or errors. This level of detail is paramount when debugging api interactions, especially those managed by an api gateway that might implement non-standard redirect logic.

Example: POST with 302 Redirect

Imagine an api endpoint that processes a form submission via POST and, upon successful processing, issues a 302 redirect to a "success" page.

If you try to debug this with curl -L -X POST -d "param=value" http://api.example.com/submit, curl will follow the 302 by sending a GET request to the success page. This might be fine if the success page just displays a message.

However, if the api intended the subsequent redirect itself to be a POST to another processing endpoint (a highly unusual but possible scenario), then you'd need:

curl -L --post302 -X POST -d "param=value" http://api.example.com/submit

This ensures curl sends POST requests for all steps in the redirect chain that are 302s.

By mastering the -L option and understanding the intricacies of HTTP method handling across different redirect codes, you gain unprecedented control over how curl navigates the complex landscape of web services and api interactions. This knowledge is not merely academic; it is directly applicable to diagnosing tricky api behaviors and ensuring your automated scripts correctly interact with web resources.

Part 4: Controlling Redirect Behavior with `curl`

While -L enables automatic redirect following, curl offers a suite of additional options that provide granular control over this process. These controls are essential for robustness, security, and precise debugging, allowing you to tailor curl's behavior to specific scenarios, particularly when interacting with apis and various gateway configurations.

Limiting the Number of Redirects: `--max-redirs <num>`

One of the most critical safeguards when following redirects is to prevent infinite loops or excessive requests. The --max-redirs <num> option allows you to specify the maximum number of redirects curl will follow before aborting. If the number of redirects exceeds <num>, curl will stop and report an error.

The default value for --max-redirs is 50. While 50 redirects are rarely encountered in legitimate web interactions, it's good practice to set a lower, more reasonable limit in automated scripts or when debugging specific api endpoints. For example, if you know an api should at most perform one redirect, you might set --max-redirs 2 (allowing the initial request and one redirect).

Example: Imagine a test URL that causes a redirect loop: http://loop.example.com redirects to http://loop.example.com/page1, which redirects back to http://loop.example.com.

Without --max-redirs, curl -L would enter an infinite loop (or until it hits the default 50).

curl -L --max-redirs 3 -v http://loop.example.com

This command would: 1. Request http://loop.example.com. 2. Receive a redirect to http://loop.example.com/page1 (1st redirect). 3. Request http://loop.example.com/page1. 4. Receive a redirect to http://loop.example.com (2nd redirect). 5. Request http://loop.example.com. 6. Receive another redirect (3rd redirect). 7. At this point, curl has followed 3 redirects, which equals --max-redirs 3. It will then report an error like Maximum (num) redirects followed and terminate.

This option is invaluable for testing api resilience, ensuring that api gateway configurations don't inadvertently create redirect loops, and protecting your scripts from hanging indefinitely.

Preventing Method Changes: `--location-trusted` (Use with Caution!)

As discussed, 301 and 302 redirects historically caused curl (and browsers) to change POST to GET, despite varying RFC interpretations. While --post301 and --post302 explicitly force POST for specific codes, there's a more encompassing option: --location-trusted.

The --location-trusted flag tells curl that it is safe to re-send the original request (including method, body, headers, and authentication) to the new Location URL, even if the hostname changes. This means: * It preserves the original request method (e.g., POST will remain POST) for all 3xx redirects (301, 302). * It sends authentication headers (like Authorization headers) to the new location, even if it's a different domain.

Example: If an api behind an api gateway uses a 302 redirect for internal routing and expects the POST body to be preserved:

curl -L --location-trusted -X POST -H "Authorization: Bearer token" -d "data=payload" http://gateway.example.com/api/v1/submit

WARNING: Use --location-trusted with extreme caution! By resending authentication credentials and potentially sensitive data to any new Location URL, even on a different domain, you could inadvertently leak sensitive information to an untrusted third party if the redirect is malicious. This option should primarily be used when you explicitly trust the entire redirect chain and understand its security implications, typically in controlled environments or with known apis.

For most cases, explicitly using --post301 or --post302 when POST preservation is needed for those specific codes is safer, as it doesn't imply re-sending all original request data indiscriminately.

Handling Authentication Across Redirects

When a redirect occurs, especially to a different domain, authentication becomes a critical concern.

Default Behavior: By default, curl will not send authentication headers (like Authorization, Cookie, Proxy-Authorization) to a new hostname if a redirect occurs. This is a security feature to prevent credential leakage.
--location-trusted: As noted, this option bypasses the security check and sends credentials to the new host. Use with caution.
Manual Approach (Safer): The safest way to handle authentication across redirects to different hosts is to design your api interaction to re-authenticate or manually extract and re-apply tokens. This often involves scripting:
1. Make the initial request (without -L).
2. Check for a 3xx status code and the Location header.
3. If a redirect occurs, parse the Location URL.
4. If the domain changes and authentication is needed, formulate a new request to the new URL, potentially with newly acquired or refreshed authentication.

This manual approach, while more complex to script, provides the highest level of security, ensuring you have full control over where your credentials are sent. When dealing with apis that might reside behind different api gateway instances or on different domains, this explicit control is vital.

Capturing Intermediate Redirect Information: `--dump-header` and `--write-out`

Debugging redirect chains effectively requires more than just seeing the final content; it demands insight into each step. curl provides powerful options to extract this intermediate information.

--dump-header <file> (-D <file>): This option tells curl to write all received HTTP response headers to the specified file. If you use it with -L, curl will write the headers for each response in the redirect chain to the file, appended sequentially. This allows you to inspect the Location header, status code, and other details of every redirect response.Example: bash curl -L -D headers.txt http://google.com After execution, headers.txt will contain the headers for the 301 response from http://google.com followed by the headers for the 200 OK response from https://www.google.com/. This provides a complete record of the HTTP conversation.
--write-out <format_string> (-w <format_string>): This is one of curl's most powerful and flexible features for scripting and automated testing. It allows you to define a custom output format using various variables that curl populates with information about the transfer. Crucially, when used with -L, it can provide details about the last redirect performed and the final URL.Common --write-out variables for redirects: * %{url_effective}: The final URL that curl ended up on after all redirects. * %{redirect_url}: The URL that curl was redirected to (from the last redirect in the chain). If no redirects happened, this is empty. * %{http_code}: The HTTP status code of the final response. * %{http_code_previous}: The HTTP status code of the response immediately preceding the final one (useful for the last redirect's code). * %{num_redirects}: The total number of redirects followed.Example: Let's get the final URL, the number of redirects, and the final HTTP status code for http://google.com: bash curl -L -s -o /dev/null -w "Final URL: %{url_effective}\nRedirects: %{num_redirects}\nFinal HTTP Code: %{http_code}\n" http://google.com (Note: -s silences progress info, -o /dev/null discards the body, so only --write-out output is seen).Output: Final URL: https://www.google.com/ Redirects: 1 Final HTTP Code: 200You can craft complex format strings to extract almost any piece of information you need, making --write-out indispensable for automated api testing and monitoring, especially when validating api gateway routing rules or checking for specific redirect behaviors. For instance, you could check if an expected number of redirects occurred, or if an api call ultimately landed on the correct versioned endpoint.

Example using `--write-out` for Redirect Chain Analysis

To get more detailed information about each step of the redirect, you would typically need to script curl in a loop, running it without -L for each step and parsing the Location header, or by analyzing the verbose output. However, for getting a summary of the entire chain, --write-out is excellent.

Let's trace a fictional api endpoint that does multiple redirects: http://api.example.com/legacy (301) -> http://api.example.com/v1/old (307) -> https://api.example.com/v2/current (200)

curl -L -s -o /dev/null -w "Initial Request: %{url_request}\n" \
     -w "Redirect Count: %{num_redirects}\n" \
     -w "Effective URL: %{url_effective}\n" \
     -w "Last Redirect URL: %{redirect_url}\n" \
     -w "Last Redirect Code: %{http_code_previous}\n" \
     -w "Final Status Code: %{http_code}\n" \
     http://api.example.com/legacy

(Assume api.example.com exists and is configured with these redirects)

Output might look like:

Initial Request: http://api.example.com/legacy
Redirect Count: 2
Effective URL: https://api.example.com/v2/current
Last Redirect URL: https://api.example.com/v2/current
Last Redirect Code: 307
Final Status Code: 200

This output provides a concise summary of the redirect journey, enabling quick validation of api routing and gateway configurations without parsing verbose logs manually. Mastering --write-out is key for developing robust scripts that interact with dynamic web services.

APIPark is a high-performance AI gateway that allows you to securely access the most comprehensive LLM APIs globally on the APIPark platform, including OpenAI, Anthropic, Mistral, Llama2, Google Gemini, and more.Try APIPark now! 👇👇👇

Install APIPark – it’s free

Part 5: Advanced `curl` Redirect Scenarios and Best Practices

Beyond the basic enabling and limiting of redirects, curl offers nuanced control and requires careful consideration for various advanced scenarios. These situations often arise in real-world api development and system administration, where understanding the intricacies of curl's behavior can prevent frustration and enhance debugging efficiency.

Relative Redirects

Servers often issue relative URLs in their Location headers (e.g., /new-path instead of https://example.com/new-path). curl handles these gracefully when -L is enabled. It automatically resolves relative URLs against the base URL of the request that received the redirect.

Example: If http://example.com/old responds with Location: /new, curl will resolve this to http://example.com/new. If https://sub.example.com/v1 responds with Location: ../v2, curl will resolve this to https://sub.example.com/v2.

This automatic resolution is generally convenient, but it's important to be aware of how curl constructs the new URL, especially if the original URL itself has multiple path segments. curl uses the basename of the redirecting URL to resolve relative paths.

HTTPS to HTTP Redirects (and Vice-Versa)

Redirects can occur between different schemes (HTTP and HTTPS). * HTTP to HTTPS: This is a very common and recommended security practice (e.g., http://example.com redirects to https://example.com). curl -L handles this seamlessly, initiating a new secure connection. This often indicates an api gateway or web server enforcing security. * HTTPS to HTTP: While technically possible, redirecting from HTTPS to HTTP is a major security risk as it downgrades the connection from encrypted to unencrypted. You should be extremely cautious if you encounter such a redirect, as it could indicate a misconfigured server, a compromised api endpoint, or a malicious attack. curl -L will still follow this, but you should be vigilant, especially when inspecting verbose output. Always prioritize secure connections, especially when dealing with sensitive api traffic.

Infinite Redirect Loops

An infinite redirect loop occurs when a series of redirects leads back to a URL already visited in the same chain, creating a never-ending cycle. This can happen due to misconfigured servers, api gateway routing errors, or caching issues.

How to detect: * --max-redirs: The most direct way to prevent and detect these loops is by setting a reasonable limit with --max-redirs. curl will error out when the limit is hit, indicating a potential loop. * --verbose (-v): The verbose output will clearly show curl repeatedly requesting the same URLs in a cycle. * --write-out: You can use %{url_effective} and %{num_redirects} in your scripts to identify if curl keeps changing URLs in an unexpected loop or if the num_redirects grows beyond a reasonable threshold.

Troubleshooting: * Check server logs for the redirecting paths. * Inspect .htaccess files or web server (Nginx/Apache) configurations. * Review api gateway routing rules and traffic management policies for misconfigurations. * Clear browser or curl's cookie cache, as cookies can sometimes influence redirect logic.

Cookies and Redirects

Cookies are often integral to web sessions and api authentication. curl's behavior with cookies across redirects is important: * Within the Same Domain: By default, curl -L will retain and send cookies received from the initial domain to subsequent redirect URLs within the same domain. For example, if example.com/login sets a session cookie and redirects to example.com/dashboard, the cookie will be sent to /dashboard. * Across Different Domains: curl is generally cautious about sending cookies to new, unrelated domains after a redirect. If a cookie's domain attribute is set for old.example.com, curl will not automatically send it to new.another.com unless specifically instructed or if the cookie's domain attribute allows it (e.g., a top-level domain cookie might apply to subdomains). * Explicit Cookie Management: For fine-grained control, use: * --cookie <file> or --cookie "name=value": To send specific cookies with your request. * --cookie-jar <file>: To save all received cookies to a file after the transfer and load them for subsequent requests. This is very useful for managing session tokens across multi-step api workflows, especially if an api gateway is involved in session management.

Example: Capturing and Re-using Cookies across redirects

# 1. Login to an API, capture session cookie
curl -s -D headers_login.txt --cookie-jar cookies.txt -X POST -d "user=test&pass=secret" https://auth.example.com/login
# Assume it redirects to /dashboard and sets a session cookie

# 2. Access a protected resource, using the captured cookie
curl -L --cookie cookies.txt https://api.example.com/protected_data

This ensures that the api request for protected_data carries the necessary authentication cookie, even if the /protected_data endpoint itself issues further redirects.

HTTP/2 and Redirects

The introduction of HTTP/2 (and now HTTP/3) primarily optimizes the transport layer (how data frames are sent over a single connection) but does not fundamentally alter the application-layer semantics of HTTP status codes or redirects. A 301 redirect still means the same thing, regardless of whether it's delivered over HTTP/1.1 or HTTP/2.

curl supports HTTP/2 (and HTTP/3) and will use it if the server supports it and the connection is HTTPS. When -L is used, curl will follow redirects, and if the new Location URL points to an HTTPS resource, it will attempt to negotiate an HTTP/2 connection if possible. So, your redirect logic remains consistent across HTTP versions.

Performance Considerations

Each redirect in a chain adds overhead: * DNS Resolution: A new DNS lookup might be required if the redirect is to a different hostname. * TCP Connection Establishment: A new TCP handshake is needed for each unique host/port. * TLS Handshake: For HTTPS redirects, a full TLS handshake adds significant latency. * HTTP Request/Response Cycle: Each redirect is a full request-response cycle.

While a single redirect is usually negligible for user experience, long redirect chains (e.g., 5+ redirects) can noticeably impact page load times or api response latency. From an api design perspective, minimizing redirects is a best practice, especially in high-performance or low-latency apis. api gateways should also be configured to minimize internal redirects to optimize performance. Regularly using curl -L -v and monitoring num_redirects with --write-out can help identify performance bottlenecks caused by excessive redirects.

When Not to Follow Redirects

Despite the convenience of -L, there are crucial times when you should intentionally avoid following redirects: * Debugging Initial Response: You need to see the exact 3xx status code and Location header returned by the first server, without curl obscuring it by making a follow-up request. This is often the case when debugging why an api call is redirecting in the first place, or if a specific api gateway rule is triggering an unexpected redirect. * Security Audits: To specifically identify redirect chains that lead to insecure protocols (HTTPS to HTTP), or to understand if a malicious redirect is attempting to send you to an untrusted domain. * Verifying Redirect Logic: To ensure that a server or api gateway is issuing the correct type of 3xx redirect (e.g., a 301 instead of a 302 for permanent moves, or a 307 for temporary POST preservation). * Resource Inspection: Sometimes, the server's response to a 3xx status code might contain valuable information before the redirect (e.g., a custom error message or a temporary holding page).

In these scenarios, simply omit the -L flag and use -v (verbose) or --dump-header to inspect the raw response.

Integrating with `api`s and Gateways

Understanding curl's redirect behavior is absolutely foundational when interacting with modern web services and apis. The landscape of apis is complex, often involving multiple layers of abstraction, and redirects play a significant role in their operation.

api Versioning and Migration: As apis evolve, old versions might redirect to new ones. For instance, GET /api/v1/users might issue a 301 redirect to GET /api/v2/users. curl -L ensures your client automatically uses the latest endpoint, while curl -v helps confirm that the migration path is as expected. This is a common pattern managed by an api gateway.
Load Balancing and Service Discovery: An api gateway often sits in front of multiple backend services, acting as a single entry point. It might use redirects to:
- Distribute traffic to different instances of a service.
- Route requests to specialized services based on specific criteria.
- Handle failover by redirecting to a healthy backup instance. curl -L helps clients seamlessly connect to the intended backend, even if the gateway orchestrates an internal redirect.
Authentication and Authorization Flows: Complex security protocols like OAuth 2.0 or OpenID Connect heavily rely on redirects between the client, the authorization server, and the api resource server. Debugging these flows with curl -L -v is essential to understand token issuance and resource access.
Canonical api Endpoints: Just like websites, apis often have canonical URLs. For example, http://myapi.com/data might redirect to https://myapi.com/data, or myapi.com/users/ might redirect to myapi.com/users (removing the trailing slash for consistency). An api gateway might enforce these canonical forms through redirects.
Enforcing HTTPS for apis: One of the most common roles of an api gateway is to ensure all incoming traffic is secure. Any HTTP request to an api endpoint will typically be met with a 301 or 307 redirect to its HTTPS counterpart. curl -L automatically handles this security enforcement, allowing your scripts to seamlessly upgrade to secure connections.

When interacting with an api gateway, understanding curl's redirect behavior becomes even more critical. An api gateway like APIPark, an open-source AI gateway and api management platform, plays a pivotal role in managing, integrating, and deploying AI and REST services. APIPark, by virtue of being an api gateway, can itself be the source of redirects as part of its traffic management, security enforcement, or api versioning strategies. For example, if APIPark is configured to redirect all /v1 requests to /v2 for a specific service, or to enforce HTTPS, or even to redirect to an OAuth provider for authentication, curl -L will be the tool you use to correctly access the final service endpoint. Debugging with curl -L -v against an APIPark-managed api allows developers to observe how the gateway processes and routes requests, ensuring that the api consumers are reaching the intended services and performing operations correctly. APIPark’s robust traffic management capabilities mean that understanding how curl handles redirects is directly relevant to understanding how your applications interact with the apis it manages.

Part 6: Practical Examples and Use Cases

Let's explore some tangible scenarios where mastering curl's redirect options proves invaluable. These examples highlight the utility of the commands we've discussed and provide a blueprint for common debugging and automation tasks.

Use Case 1: Checking for HTTPS Enforcement

One of the most fundamental security checks is verifying that all HTTP traffic is automatically redirected to HTTPS.

Scenario: You've deployed a new api service behind an api gateway and want to confirm that all requests to the insecure http endpoint are seamlessly upgraded to https.

curl -L -v http://example.com/your-api/endpoint

Expected Output Analysis: * You should first see an HTTP/1.1 301 Moved Permanently or 307 Temporary Redirect response. * The Location: header in this initial response should clearly point to the https:// version of your URL. * curl will then automatically make a new request to the https:// URL. * The subsequent connection information will show a TLS handshake. * Finally, you should receive an HTTP/2 200 (or HTTP/1.1 200) response from the secure endpoint.

If curl doesn't show the 3xx redirect and immediately connects to https, it might mean your http port is configured to directly proxy to https without an explicit redirect response, or that you're hitting an api gateway that silently upgrades the request. If it fails to connect, or returns an error without a redirect, then your HTTPS enforcement is not working as expected.

Use Case 2: Tracing a Shortened URL

URL shorteners (like bit.ly, tinyurl.com) work by issuing redirects. You might want to know the final destination of a shortened URL without actually visiting it in a browser.

Scenario: You receive a shortened URL in a phishing email and want to know its ultimate destination before clicking.

curl -L -s -o /dev/null -w "Final Destination: %{url_effective}\nTotal Redirects: %{num_redirects}\n" http://bit.ly/example

Expected Output Analysis: The output will directly tell you the final, long URL and how many redirects it took to get there. This is a quick and safe way to inspect suspicious links.

Use Case 3: Debugging `api` Endpoint Changes and Version Migrations

When api endpoints change (e.g., from /v1/users to /v2/customers) or are deprecated, redirects are often used to guide old clients to new resources.

Scenario: Your application is calling an old api endpoint https://api.example.com/v1/products. You suspect this endpoint is now redirecting to https://api.example.com/v2/inventory. You need to verify this and understand the redirect type.

curl -v -L --max-redirs 5 -H "Accept: application/json" https://api.example.com/v1/products

Expected Output Analysis: * Look for a 3xx response from https://api.example.com/v1/products. * Note the status code (e.g., 301 for permanent migration, 307 for temporary). * Check the Location: header to confirm it points to /v2/inventory. * Observe the final 200 OK response from the /v2/inventory endpoint.

If the redirect is a 301, your client should permanently update its reference. If it's a 307, the change is temporary. If your api call was a POST and the redirect was a 302, remember to consider --post302 if the server expects the method to be preserved. This detailed information helps you adjust your client code or update your internal documentation. An api gateway might be the entity enforcing this version migration.

Use Case 4: Monitoring Website Availability and Redirect Chains in Scripts

For automated monitoring, you might want a quick script to check if a website or api endpoint is available and how many redirects it takes to reach the final resource.

Scenario: You need a daily report on the status of several important web resources, including their redirect complexity.

#!/bin/bash

URLS=("http://important-service.com" "https://dashboard.example.com" "http://legacy-api.com/data")

for URL in "${URLS[@]}"; do
    echo "Checking $URL..."
    OUTPUT=$(curl -L -s -o /dev/null -w "URL: %{url_effective}\nRedirects: %{num_redirects}\nStatus: %{http_code}\nTime: %{time_total}s\n" "$URL")
    echo "$OUTPUT"
    echo "--------------------"
done

Expected Output Analysis: For each URL, the script will output the final URL, the count of redirects, the final HTTP status code, and the total time taken. This can be easily parsed for reporting. If num_redirects is consistently high, it flags a potential performance issue. If http_code is not 200, it indicates an error. This kind of monitoring is crucial for apis, especially those exposed through an api gateway, to ensure continuous availability and optimal routing.

Use Case 5: Testing `api` Endpoint Resilience with POST and Redirects

Testing how an api handles POST requests that involve redirects is crucial, especially concerning method preservation.

Scenario: You have an api that accepts a POST request, and upon successful processing, issues a 302 redirect to another endpoint for further processing, and this second endpoint also expects a POST.

# First, try without --post302 to see default behavior
echo "--- Testing without --post302 (expected to fail if target needs POST) ---"
curl -L -v -X POST -d '{"key":"value"}' -H "Content-Type: application/json" http://api.example.com/initial-post-endpoint

echo "--- Testing WITH --post302 (expected to succeed) ---"
curl -L --post302 -v -X POST -d '{"key":"value"}' -H "Content-Type: application/json" http://api.example.com/initial-post-endpoint

Expected Output Analysis: * In the first curl command (without --post302), after the 302 redirect, you should see curl issuing a GET request to the redirected URL. If the server at that URL expects a POST, this request will likely fail (e.g., 405 Method Not Allowed). * In the second curl command (with --post302), after the 302 redirect, you should see curl issuing a POST request to the redirected URL, preserving the original body. This should lead to a successful (e.g., 200 OK) response from the final endpoint.

This kind of precise testing is indispensable for ensuring the correct behavior of apis and for debugging subtle interaction issues, especially when an api gateway might be performing complex routing based on request methods.

Part 7: Comparison with Other Tools (Briefly)

While curl is a powerful and flexible tool, it's not the only way to interact with web resources or handle redirects. Understanding how other tools approach this can provide broader context.

`wget`

wget is another popular non-interactive network downloader. It's often used for recursive downloads or mirroring websites. * Default Behavior: Unlike curl, wget does follow redirects by default. * Controlling Redirects: * --max-redirect=N: Limits the number of redirects. * --no-follow-redirect: Prevents wget from following redirects. * Method Handling: wget is primarily designed for GET requests and may not handle POST requests and method changes across redirects as robustly or with as much control as curl.

For simple file downloads or website mirroring where redirects are expected and desired, wget can be more convenient due to its default behavior. For complex api interactions, curl's explicit control is usually preferred.

Browser Behavior

Web browsers (Chrome, Firefox, Safari, Edge) automatically and transparently follow redirects by default. This is fundamental to how they provide a seamless browsing experience. * User Transparency: Users rarely see the intermediate redirect steps unless they inspect network requests in developer tools. * Method Handling: Browsers generally adhere to the HTTP specification, changing POST to GET for 302/303, and preserving POST for 307/308. * Security: Browsers have built-in security mechanisms to detect and warn about potential redirect loops, mixed content, or dangerous redirects (e.g., HTTPS to HTTP).

While browsers make redirects invisible, curl's strength lies in making them explicit, which is crucial for development and debugging.

Programming Libraries (Python `requests`, Node.js `axios`)

Most modern HTTP client libraries in programming languages also follow redirects by default, mirroring browser behavior for convenience in application development. * Python requests: python import requests response = requests.get('http://google.com', allow_redirects=True) # True is default print(response.url) # Prints the final URL print(response.history) # Shows redirect chain You can disable allow_redirects to manually handle redirects. * Node.js axios: javascript const axios = require('axios'); axios.get('http://google.com', { maxRedirects: 5 }) // Default is 5 .then(response => { console.log(response.request.res.responseUrl); // Final URL console.log(response.request.res.redirects); // Array of redirect URLs }); These libraries offer similar control to curl through their configuration options, allowing developers to disable automatic redirects, limit their count, and inspect the redirect history. The principles of HTTP redirect codes and method handling remain consistent across all these tools, reinforcing the importance of a fundamental understanding.

Conclusion

Mastering curl's redirect-following capabilities is far more than just knowing how to add a -L to your command. It's about understanding the intricate dance of HTTP status codes, the subtle implications of method changes, and the critical importance of security and transparency in web interactions. We've journeyed through the foundational concepts of HTTP redirects, explored curl's deliberate default behavior, and delved into the powerful options that provide granular control over redirect processing.

From the simplicity of --location to the precision of --max-redirs and the diagnostic power of --write-out, curl equips you with an unparalleled toolkit for navigating the dynamic landscape of the internet. We've highlighted how these features are not merely academic exercises but are indispensable for practical tasks such as debugging api endpoints, verifying HTTPS enforcement, tracing shortened URLs, and building robust automated scripts. The nuances of handling POST requests across different 3xx redirects, and the careful consideration of security when using options like --location-trusted, underscore the need for a deep, rather than superficial, understanding.

In an ecosystem increasingly defined by interconnected apis, microservices, and sophisticated api gateway solutions, the ability to command curl with confidence is a hallmark of an adept developer or system administrator. Whether you are validating api version migrations, ensuring proper load balancing through an api gateway like APIPark, or simply ensuring your api consumers reach the correct endpoints, curl provides the clarity and control you need. Its transparency in exposing the underlying HTTP conversation is a powerful asset in an age where many layers of abstraction can obscure critical details.

By integrating the knowledge gleaned from this guide into your daily workflow, you will not only enhance your efficiency in interacting with web services but also gain a deeper appreciation for the elegant mechanics that underpin the modern web. The art of curl is, ultimately, the art of informed interaction—empowering you to observe, control, and troubleshoot HTTP communications with expert precision.

Frequently Asked Questions (FAQs)

1. What is the main reason `curl` doesn't follow redirects by default?

curl's default behavior of not following redirects is a deliberate design choice primarily for security, transparency, and control. Automatically following redirects could expose users to malicious sites, hide crucial intermediate HTTP responses needed for debugging, or lead to infinite redirect loops. By requiring explicit instruction (-L), curl ensures users are aware of and have control over the entire redirect chain, which is vital for security audits and deep debugging of web services and api interactions.

2. How can I ensure `curl` follows redirects and also see all the intermediate steps?

To make curl follow redirects, use the --location (or -L) option. To see all the intermediate request and response headers, including the Location header for each redirect, combine it with the --verbose (or -v) option: curl -L -v http://example.com. This provides a step-by-step account of the entire redirect chain, showing each 3xx status code and the new URL curl is directed to.

3. What's the difference between a 301 and a 307 redirect, especially for POST requests?

A 301 Moved Permanently indicates that the resource has been permanently moved to a new URI. Historically, clients often changed POST requests to GET for subsequent 301 redirects, though modern curl tries to preserve POST by default. A 307 Temporary Redirect, on the other hand, explicitly mandates that the client must not change the request method when reissuing the request to the Location URI. If the original request was a POST, the subsequent request must also be a POST. This makes 307 more predictable for temporary POST redirects in api interactions.

4. How can I prevent `curl` from following too many redirects or getting stuck in a loop?

You can prevent curl from following an excessive number of redirects or getting caught in an infinite loop using the --max-redirs <num> option. This sets a maximum limit on the number of redirects curl will follow. For example, curl -L --max-redirs 5 http://example.com will stop after following 5 redirects, preventing it from indefinitely chasing redirects and conserving resources. This is an essential safeguard when testing apis or websites.

5. Is it safe to use `--location-trusted` for all redirects when interacting with an `api gateway`?

No, using --location-trusted should be done with extreme caution. While it ensures that curl preserves the original request method and sends authentication headers (like Authorization) to the new location, it does so even if the hostname changes. This means sensitive credentials could be leaked to an untrusted third-party domain if a redirect is compromised or misconfigured. When interacting with an api gateway or any api, it's safer to explicitly use method-preserving options like --post301 or --post302 for specific redirect codes, or manually manage authentication for cross-domain redirects, unless you have absolute trust in the entire redirect chain.

🚀You can securely and efficiently call the OpenAI API on APIPark in just two steps:

Step 1: Deploy the APIPark AI gateway in 5 minutes.

APIPark is developed based on Golang, offering strong product performance and low development and maintenance costs. You can deploy APIPark with a single command line.

curl -sSO https://download.apipark.com/install/quick-start.sh; bash quick-start.sh

In my experience, you can see the successful deployment interface within 5 to 10 minutes. Then, you can log in to APIPark using your account.

Step 2: Call the OpenAI API.

Install APIPark – it’s free

Part 1: The Fundamentals of HTTP Redirects

What is a Redirect?

HTTP Status Codes for Redirects

How Redirects Work: Client-Server Interaction

Why Redirects Are Used

Part 2: Introducing curl and Its Default Behavior

What is curl?

Basic curl Usage

curl's Default Behavior with Redirects

Why the Default is Not to Follow

Part 3: The --location (or -L) Option: Following Redirects

Enabling Redirect Following: --location (-L)

How -L Works Internally

Understanding HTTP Methods and Redirects with -L

Part 4: Controlling Redirect Behavior with curl

Limiting the Number of Redirects: --max-redirs <num>

Preventing Method Changes: --location-trusted (Use with Caution!)