Fact-checked by Grok 2 weeks ago

HTTP location

The HTTP Location header field is a response header in the Hypertext Transfer Protocol (HTTP) that specifies a reference to a associated with the response, primarily used to indicate the location of a newly created or to redirect the recipient to an alternative . Its syntax is defined as Location = URI-reference, where the value is a single -reference that may be absolute or relative, resolved against the effective request if relative. This header derives its specific meaning from the context of the request method and response status code, making it essential for standard HTTP behaviors like relocation and creation notifications. In practice, the Location header is most commonly associated with the 201 Created status code, where it is recommended to identify the primary URI of the resource resulting from a successful creation operation, such as after a POST request that generates a new entity. For redirection purposes, it appears in responses with 3xx status codes (Redirection), including 301 Moved Permanently, 302 Found, 303 See Other, 307 Temporary Redirect, and 308 Permanent Redirect, to specify the target URI for the client or user agent to follow. In these cases, the header guides automatic or manual redirection, with the choice of HTTP method for the subsequent request depending on the original method and the redirection type— for instance, GET is typically used after 303 regardless of the initial method. If the Location URI lacks a fragment identifier, it inherits the one from the original request URI to preserve context. The header's role extends beyond strict redirection; it can also appear in other contexts, such as with the 202 Accepted status code to point to a tracking an asynchronous , though this is less standardized. Defined initially in HTTP/1.1 specifications and refined in subsequent updates, the Location header ensures across HTTP versions by focusing on semantic clarity rather than transport details. User agents, including web browsers, have supported it universally since the early 2000s, enabling seamless navigation in web applications and APIs.

Overview

Definition

The Location header is a response header field in the Hypertext Transfer Protocol (HTTP) that specifies a reference to identify a specific in relation to the response, serving as an indicator for the target in scenarios such as redirection or resource location. It provides a means for servers to communicate the URI of a to clients, enabling appropriate navigation or reference without requiring additional requests in certain contexts. Defined within the semantics of HTTP as per RFC 9110, the Location header is integral to the protocol's response handling, where it is mandatory in specific response contexts to direct client behavior effectively, such as guiding user agents toward a designated . This ensures and standardized interpretation across HTTP implementations, with the header's presence influencing how clients process and act upon server responses. Technically, the Location header is classified as a single-value field, meaning it conveys exactly one reference rather than a list, and its value adheres to the URI-reference production rule from RFC 3986, allowing for either an absolute URI or a relative reference that resolves against the effective request URI. This structure supports flexibility in URI specification while maintaining precision in resource identification.

Primary Purposes

The Location header field in HTTP serves primarily to indicate the URI of a to which the client should redirect or reference following a server response. In redirection scenarios, it instructs the , such as a , to retrieve a different , often to handle cases where the requested has been moved, renamed, or temporarily relocated to an alternative endpoint. This mechanism enables seamless navigation without requiring the client to know the new location in advance. Another key purpose of the Location header is to identify the URI of a newly created in response to successful creation requests, such as those using or PUT methods. Upon successful creation, the server includes the Location header to provide the canonical URI for the new , allowing the client to immediately access, , or further interact with it. This facilitates resource management in web applications and by establishing a persistent identifier for the created entity. Unlike the Content-Location header, which specifies the of the specific of included in the response body (e.g., for negotiation), the Location header exclusively points to the target for redirection or the primary of a newly created . This distinction ensures that Location focuses on navigational or identificatory intent rather than describing the 's origin or . User agents are expected to resolve the URI provided in the Location header relative to the original request URI if it is relative, and to follow it automatically in appropriate contexts, thereby maintaining the flow of the HTTP interaction without user intervention. This behavior promotes efficient resource location and retrieval in distributed systems.

Syntax and Format

Header Structure

The Location header field in HTTP provides a means to specify a URI reference associated with the response, typically indicating the location of a redirected or newly created resource. According to RFC 9110, its syntax is defined as Location = URI-reference, where the value adheres to the Augmented Backus-Naur Form (ABNF) notation and represents a single URI reference as specified in RFC 3986. This allows for absolute URIs, relative references, or URI references including fragments, enabling flexible indication of resource locations without mandating full absolute paths in every case. In HTTP message format, the header appears as a standard response header field line, structured as Location: <URI-reference>, where the field name "" is case-insensitive per HTTP conventions in RFC 9110. Leading and trailing whitespace around the field value is typically ignored or trimmed during parsing, though the value itself should not include unencoded control characters to maintain compliance. Servers generate this header in responses where redirection or resource creation semantics apply, ensuring the value is a well-formed URI reference to avoid issues. A key constraint is that the Location value must constitute a valid URI-reference; malformed or invalid values can result in clients ignoring the header, issuing errors, or failing to process the intended redirection or location indication, as clients are not obligated to handle non-conforming URIs. Regarding encoding, URI components within the value follow the percent-encoding rules outlined in RFC 3986 for representing special or reserved characters, such as spaces (encoded as %20) or non-ASCII characters, to ensure safe transmission over HTTP. This encoding preserves the integrity of the reference while allowing relative forms that resolve against the request's effective URI when necessary.

URI Types and Resolution

The Location header field in HTTP accepts a URI reference, which may be either an absolute URI or a relative reference. An absolute URI provides the complete resource identifier, including the scheme (e.g., https), authority (host and port), and path (e.g., https://example.com/path), enabling resolution without additional context. This form ensures unambiguous targeting of the resource, as defined in the generic URI syntax. Relative references in the Location header take two primary forms: path-relative or absolute-path. A path-relative reference consists of path segments without a leading slash (e.g., newpath or subdir/newpath), while an absolute-path reference begins with a slash (e.g., /newpath). These are not standalone and require resolution against a base URI. Per the HTTP semantics, relative references are resolved relative to the target URI of the original request, rather than any URI associated with the response itself. Resolution follows the algorithm in URI generic syntax, where the base URI (the request's target URI) supplies missing components like and . For an absolute-path relative reference, the replaces the base entirely while inheriting the and (e.g., /newpath appended to from the base). Path-relative references merge with the base by appending segments after removing the last base segment (e.g., newpath added to the end of the base ). Dot-segments such as ../ navigate upward in the directory hierarchy during , effectively removing preceding segments (e.g., ../ ascends one level). The resulting undergoes dot-segment removal to produce a normalized absolute form. When processing redirects via the Location header, clients normalize the resolved URI and follow the chain, using the original request URI as the base for each step. Browsers and user agents typically limit redirect chains to prevent loops, with a common recommendation of no more than 5 hops, though implementations often allow up to 30. This resolution ensures consistent resource targeting across HTTP responses.

Usage in Responses

With Redirection Status Codes

The Location header is mandatory in HTTP responses using the 3xx-series redirection codes 301 (Moved Permanently), 302 (Found), 303 (See Other), 307 (Temporary Redirect), and 308 (Permanent Redirect), where it specifies the of the new or alternative that the client should access to fulfill the original request. These codes signal to the client that further action is required, with the Location header providing the target to enable seamless relocation, either temporarily or permanently. Client behavior upon receiving a 3xx response with Location varies by the original request method and the specific status code. For safe methods such as GET and HEAD, clients SHOULD automatically follow the redirect to the URI in , preserving the method unless the code specifies otherwise (e.g., 303 mandates conversion to GET). For 307 and 308, if redirection occurs, the original method and request body (if present) must be preserved. In contrast, for unsafe methods like , clients SHOULD NOT automatically redirect without user confirmation or explicit configuration, to prevent unintended state changes; if redirection occurs, 307 and 308 require preserving the method and body, while 303 always converts to GET without reusing the body. An exception applies to the 304 (Not Modified) status code, which does not use the Location header; instead, it instructs the client to reuse its cached representation of the original request without any redirection. To prevent infinite loops in redirect chains, clients SHOULD detect and intervene in cyclical redirections, typically by tracking the sequence of followed and imposing implementation-specific limits on the number of redirects (e.g., via hop counts).

With Creation Status Codes

The Location header plays a crucial role in HTTP responses indicating successful , particularly with codes that affirm the establishment of new resources on the . In a 201 (Created) response, the SHOULD include the header to specify the of the primary created by the request, enabling clients to reference and interact with it directly. This usage commonly arises from requests that generate new resources or PUT requests that create them when the target does not previously exist, fulfilling the protocol's semantics for affirmative outcomes. For asynchronous processing scenarios, the () status code may optionally incorporate the Location header to point to a that tracks the status of the pending operation, such as a queued task or job. When present, this allows clients to poll or subscribe to updates on the request's progress without assuming immediate completion, though its inclusion depends on whether the server provides such a endpoint. Best practices for implementing the Location header in these contexts emphasize using a , URI that is immediately accessible to clients, avoiding relative references unless resolved against the request's effective URI. This approach aligns with RESTful API design principles, where the header facilitates retrieval via subsequent GET requests, promoting stateless interactions and efficient discovery of newly created entities. Clients are expected to treat the provided URI as the definitive identifier for the new , using it to access metadata, content, or perform further operations without needing additional queries to locate it.

Examples

Absolute URI Example

In a typical redirection scenario, a client issues a GET request to the resource at /old on a . The responds with a 301 Moved Permanently status code, indicating that the requested resource has been permanently relocated, and includes an absolute in the header to specify the new target. This setup ensures the client can immediately follow the redirect without needing to resolve any relative references against the original request's base . A full example of such a response header follows: 
HTTP/1.1 301 Moved Permanently
Location: [https](/page/HTTPS)://[example.com](/page/Example.com)/newpage.[html](/page/HTML)
Here, the absolute https://example.com/newpage.html fully specifies the , , and , allowing the client to directly access the new . Upon receiving this response, the client resolves and issues a subsequent request to the absolute URI provided, operating independently of the original request's base (such as the host or scheme from which /old was requested). This direct resolution promotes reliability in redirection, as the target is unambiguous and self-contained. Absolute URIs in the Location header are particularly ideal for scenarios involving cross-domain redirects or changes in protocol scheme, such as migrating from HTTP to , where preserving the exact target details is essential to avoid resolution errors or security mismatches.

Relative URI Example

In HTTP responses, the Location header can employ relative URI references to indicate a redirection target, which are resolved by the client relative to the effective request URI as defined in 3986. Consider a client requesting the resource at https://example.com/blog/post1. The server might respond with a 302 Found status code and a Location header containing a relative URI such as /newpost, an absolute-path reference that points to a new location within the same . The response header would appear as follows: 
HTTP/1.1 302 Found
Location: /newpost
Upon receiving this, the client resolves /newpost against the original request , resulting in the absolute https://example.com/newpost. Relative URIs can also use path-relative forms, such as ../category, to navigate up the directory hierarchy. For the same request to https://example.com/blog/post1, the Location header ../category resolves by removing the post1 segment (due to ..), leaving /blog/, then appending category, yielding https://example.com/blog/category. This approach with relative URIs in the Location header reduces redundancy by omitting the scheme and authority for same-origin redirects, thereby shortening the header value and simplifying server configuration, while user agents handle the normalization to absolute form transparently.

Creation URI Example

The Location header is commonly used with the 201 Created status code to indicate the URI of a newly created resource. For instance, a client sends a POST request to https://example.com/users to create a new . The server processes the request, creates the resource, and responds with a 201 and an absolute in the Location header pointing to the new . A full example of such a response header follows: 
HTTP/1.1 201 Created
Location: https://example.com/users/123
Here, the absolute URI https://example.com/users/123 identifies the primary URI of the created user resource. The client can then use this URI for further operations, such as retrieving the resource details. Relative URIs can also be used in this context, resolved against the request's target URI.

Standards and Evolution

Key RFC Specifications

The Location header field in HTTP was initially defined in RFC 2616, published in June 1999 as a Standards Track document that specified HTTP/1.1 semantics. This RFC established the header as a response field used to redirect recipients to a location other than the request URI, particularly in 201 (Created) responses to identify new resources and in 3xx redirection status codes such as 301 (Moved Permanently) and 302 (Found). It mandated that the Location value consist of a single absolute URI to ensure clients could independently resolve the target without context dependency, with syntax defined as Location = "Location" ":" absoluteURI. RFC 2616 was later obsoleted by the HTTP/1.1 specification updates in 2014. RFC 7231, published in June 2014 as part of the revised HTTP/1.1 core semantics and content on the Standards Track, refined the Location header's definition to enhance flexibility. It describes the header as a means to refer to a specific resource in relation to the response, used in 201 responses to denote the primary created resource and in 3xx responses to indicate the redirection target. Unlike its predecessor, RFC 7231 permits references, including relative forms resolved against the effective request URI, with syntax Location = URI-reference. This adjustment supports fragments and relative paths while maintaining interoperability for absolute URIs. The syntax for URIs in the Location header relies on RFC 3986, published in January 2005 as a Standards Track document defining the generic URI syntax. This RFC outlines URI components such as , , , query, and fragment, using ABNF notation like URI-reference = URI / relative-ref to specify absolute URIs and relative references resolvable via a base URI. It provides the foundational rules for parsing and normalizing Location values in HTTP, ensuring consistent resolution across implementations. RFC 9110, published in June 2022 as an Internet Standards Track document on HTTP semantics, consolidates and updates the Location header specifications from prior RFCs including 7231. It reaffirms the header's role in 201 responses for new resource URIs and 3xx responses for redirection targets, retaining the URI-reference syntax while clarifying rules for automatic client redirection based on status codes like 301, 302, and 303. This consolidation separates semantics from transport details, obsoleting RFC 7231 and related documents to streamline HTTP evolution.

Changes Across HTTP Versions

In HTTP/1.0, as defined in RFC 1945 published in 1996, the Location header provided informal support for redirects, primarily in conjunction with status codes 301 (Moved Permanently) and 302 (Moved Temporarily), where it was required to specify the new for the . The header's value was optional in broader contexts but consisted exclusively of a single absolute when used, ensuring unambiguous redirection without reliance on relative paths. With the advancement to HTTP/1.1 in RFC 2616 from 1999, the Location header became more formalized, mandating the use of absolute URIs exclusively, as relative URIs were explicitly not permitted to maintain across clients and servers. This version introduced specific requirements tying the header to additional status codes, including 201 (Created) for identifying new resources, and redirection codes such as 303 (See Other), 305 (Use Proxy), and 307 (Temporary Redirect), enhancing its role in precise resource location and method preservation during redirects. The 2014 update to HTTP/1.1 semantics in RFC 7231 relaxed the URI requirement to allow URI-references, which encompass both absolute URIs and relative references resolvable against the effective request URI, aligning the specification with longstanding implementations that already tolerated relatives. This change also incorporated guidance on loop prevention, advising clients to detect and avoid cyclical redirections by tracking redirect chains. The header's usage with status codes like 201 and various 3xx redirects remained consistent, but the flexibility in URI form improved practical deployment. In and subsequent versions, as outlined in RFC 9113 from 2022, there were no structural modifications to the header's semantics, preserving with prior HTTP/1.1 definitions. However, the protocol's binary framing and HPACK header compression mechanism enhanced transmission efficiency for headers like , reducing overhead in multiplexed streams without altering their interpretation. These evolutions, particularly the shift to permitting relative URIs in modern HTTP/1.1, have reduced server-side by avoiding redundant and components, while maintaining through support for absolute forms to accommodate legacy clients.

References

  1. [1]
    RFC 9110: HTTP Semantics
    Summary of each segment:
  2. [2]
    RFC 9110: HTTP Semantics
    Summary of each segment:
  3. [3]
    https://www.rfc-editor.org/rfc/rfc9110.html#status.3xx
  4. [4]
    https://httpwg.org/specs/rfc9110.html#field.location
  5. [5]
    https://www.rfc-editor.org/rfc/rfc9110.html#section-8.7
  6. [6]
    RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
    Summary of each segment:
  7. [7]
    RFC 3986: Uniform Resource Identifier (URI): Generic Syntax
    Summary of each segment:
  8. [8]
    https://datatracker.ietf.org/doc/html/rfc9110#section-5.1
  9. [9]
    https://datatracker.ietf.org/doc/html/rfc3986#section-2.1
  10. [10]
    https://www.rfc-editor.org/rfc/rfc3986.html#section-3
  11. [11]
    https://www.rfc-editor.org/rfc/rfc3986.html#section-5
  12. [12]
    https://www.rfc-editor.org/rfc/rfc3986.html#section-5.2
  13. [13]
    https://httpwg.org/specs/rfc9110.html#status.3xx
  14. [14]
    https://httpwg.org/specs/rfc9110.html#status.301
  15. [15]
    RFC9110
    Below is a merged summary of client behavior for 301 Redirection (Moved Permanently) based on RFC 9110, consolidating all provided segments into a single, comprehensive response. To maximize detail and clarity, I’ll use a table in CSV format for key information, followed by a narrative summary that integrates additional details not suited for the table. This ensures all information is retained while maintaining a dense and organized representation.
  16. [16]
    RFC9110
    Below is a merged summary of client behavior for the 302 (Found) status code based on RFC 9110, consolidating all provided segments into a single, dense response. To maximize detail and clarity, I’ll use a table in CSV format for key information, followed by a narrative summary that integrates additional context and considerations. This ensures all information is retained while maintaining readability.
  17. [17]
    RFC9110
    Below is a merged summary of client behavior for the 303 See Other status code based on RFC 9110, consolidating all provided segments into a single, comprehensive response. To maximize detail and clarity, I’ll use a table in CSV format to organize key information, followed by a narrative summary that ties everything together. This ensures all details are retained while maintaining readability.
  18. [18]
    RFC9110
    Below is a merged summary of client behavior for the 307 Temporary Redirect status code (as defined in RFC 9110, Section 15.3.8 and related sections). The information is consolidated into a dense, comprehensive response, utilizing a table in CSV format to capture key details efficiently while retaining all nuances from the provided segments. The response includes definitions, client behavior for safe and unsafe methods, method and content preservation rules, and additional considerations, along with useful URLs.
  19. [19]
    https://httpwg.org/specs/rfc9110.html#safe.methods
  20. [20]
    https://httpwg.org/specs/rfc9110.html#status.304
  21. [21]
    RFC9110
    Below is a merged summary of the RFC 9110 sections related to Status Code 304 (Not Modified), consolidating all information from the provided segments into a single, dense response. To maximize clarity and retain all details, I’ll use a combination of narrative text and a table in CSV format for key details. The response confirms the use (or lack thereof) of the Location header with status code 304 and includes all useful URLs.
  22. [22]
    https://www.rfc-editor.org/rfc/rfc9110.html#status.202
  23. [23]
    https://learn.microsoft.com/en-us/azure/architecture/best-practices/api-design
  24. [24]
    Best practices for RESTful web API design - Azure - Microsoft Learn
    May 8, 2025 · This article describes best practices for designing RESTful web APIs. It also covers common design patterns and considerations for building web APIs that are ...
  25. [25]
    201 Created - HTTP - MDN Web Docs - Mozilla
    Jul 17, 2025 · The HTTP 201 Created successful response status code indicates that the HTTP request has led to the creation of a resource.
  26. [26]
    https://www.rfc-editor.org/rfc/rfc3986.html
  27. [27]
    RFC 3986: Uniform Resource Identifier (URI): Generic Syntax
    Summary of each segment:
  28. [28]
    https://datatracker.ietf.org/doc/html/rfc2616#section-14.30
  29. [29]
    RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1 - IETF Datatracker
    HTTP/1.1 servers SHOULD send Last-Modified whenever feasible. 14.30 Location The Location response-header field is used to redirect the recipient to a location ...RFC 2068 · RFC 7230 · RFC 7235
  30. [30]
    https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2
  31. [31]
    RFC 7231 - Hypertext Transfer Protocol (HTTP/1.1) - IETF Datatracker
    This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header ...RFC 9110 · RFC 7234 · RFC 7230 · RFC 7235
  32. [32]
    https://datatracker.ietf.org/doc/html/rfc3986#section-5
  33. [33]
    https://datatracker.ietf.org/doc/html/rfc9110
  34. [34]
    RFC 9110 - HTTP Semantics - IETF Datatracker
    This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions.Table of Contents · Introduction · Conformance · Terminology and Core Concepts
  35. [35]
    https://datatracker.ietf.org/doc/html/rfc1945#section-9.3
  36. [36]
    https://datatracker.ietf.org/doc/html/rfc1945#section-10.11
  37. [37]
    https://datatracker.ietf.org/doc/html/rfc2616#section-10.2.2
  38. [38]
    https://datatracker.ietf.org/doc/html/rfc2616#section-10.3
  39. [39]
    https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
  40. [40]
    https://datatracker.ietf.org/doc/html/rfc9113#section-8.1
  41. [41]
    https://datatracker.ietf.org/doc/html/rfc9113#section-4.3
  42. [42]
    https://datatracker.ietf.org/doc/html/rfc7231#appendix-B
  43. [43]
    https://datatracker.ietf.org/doc/html/rfc9113#section-4.3
  44. [44]
    https://datatracker.ietf.org/doc/html/rfc7231#appendix-B