Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

madeye_80512's avatar
madeye_80512
Icon for Nimbostratus rankNimbostratus
Dec 28, 2011

Proper use of http redirect codes for temporary redirects?

Hi,   I'm pretty puzzled by the question on how to correclty(*) redirect on a LTM in case of a temporary disruption of service. In case of planned works as well as in case of something seriously wr...
app sec
BIG-IP Access Policy Manager (APM)
security
madeye_80512's avatar
madeye_80512
Icon for Nimbostratus rankNimbostratus
Dec 29, 2011
Hi Aaron,

 

thank you for your reply and sorry for me being obscure out of time pressure and for asking not well founded questions.

 

 

Diving in deeper into the topic on what may be wrong with a 302 I found it connected to FUD regarding Typosquatting / url-hijacking and search engine providers. This (I'm deeply embarrased) happens mostly in the german version of wikipedia *blush*.

 

 

It seems that there were (are?) search engines who if www.something.com did a 302 to www.somethingelse.com then searchengines would conclude that the somethingelse site was only temporary and wouldn't index it, thus allowing someone to kick your site out of the searchengines by just 302ing to it.

 

The worst case for us would be if some major search engine would kick our main site out of their index because we're ourselves redirecting our shop to it during server downtime (see my OP, it is near enough to the truth regarding what we'd intend to do).

 

You can read the text(s) so that there is common sense on not using 302 any more... but this is very up to interpretional issues.

 

 

The other thing is that the http/1.1 RFC2616 itself states things about a 302 being ambiguously implemented so that some browsers would use a GET on the 302s location regardless of the original request method and that this lead to the implementation of 303 (browser should always use a GET on the location) and 307 code (browser should use original method, but verify with the user if method wasn't HEAD or GET).

 

And for my eye the RFC is VERY obscure there if you try to assume what arbitrary client browsers would do on any of these codes.

 

 

But it's not too relevant for our case because we would want the browser to do a request as a GET regardless on what method it intended beforehand.

 

So the question would rather not be if to use a 307 but if a 303 should be used. And here the RFC states that "most browsers react to a 302 as described for 303".

 

 

Given the additional bit that a 302 should be understood also by pre http/1.1 browsers, I agree that probably 302 would be the correct choice, if the concern about URL hijacking can be laid down.

 

 

It'd be great if you could ease these doubts.

 

Best regards and I wish anyone having a great start of a great new year!

 

Me.