general
Location
In 3xx redirects, tells the client where to go next; in 201 Created, points at the newly created resource. Per RFC 9110 the value may be a relative reference resolved against the request URL.
Location: <URI-reference> (absolute URL or absolute-path reference) Common directives / values
| Directive | Purpose |
|---|---|
| absolute URL | e.g. https://example.com/new — always unambiguous. |
| absolute-path reference | e.g. /login — resolved against the current origin. |
| relative reference | Legal since RFC 7231/9110; some old clients still expect absolute. |
Examples
HTTP/1.1 302 Found\nLocation: /login Send unauthenticated users to the login page.
HTTP/1.1 201 Created\nLocation: /users/42 REST create — point the client at the new resource.
HTTP/1.1 301 Moved Permanently\nLocation: https://www.example.com/new Permanent redirect to a canonical URL — SEO-friendly.
HTTP/1.1 307 Temporary Redirect\nLocation: https://api.example.com/v2/ Preserves method and body across the redirect (unlike 302).
Gotcha
302/303 change POST to GET on redirect; 307/308 preserve the method — pick the right code or clients lose the body. To read Location on 201 from cross-origin JS, list it in Access-Control-Expose-Headers.
Related headers
Host
Identifies the target host and optional port of the request, so a single IP can serve many virtual hosts. Missing Host in an HTTP/1.1 request MUST yield 400 Bad Request.
Origin
Identifies the origin that caused the request without exposing path or query, sent on CORS requests and on all POST-like navigations. Central to CSRF defense and CORS policy decisions.
Access-Control-Expose-Headers
Lists response headers that the browser will expose to client JavaScript across origins. By default only a small CORS-safelisted set (Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma) is readable.
Content-Type
Declares the media type of the body in both requests and responses, and often carries additional parameters like charset or boundary. Governs how the recipient parses or renders the payload.
User-Agent
Free-form identifier of the client software, historically used for content negotiation and now largely for analytics and abuse detection. Modern browsers are freezing/reducing this string in favor of the Client Hints (Sec-CH-UA-*) family.