module ActionController::Redirecting
def redirect_to(options = {}, response_options = {})
redirect_to "https://rubyonrails.org", allow_other_host: true
To allow any external redirects pass allow_other_host: true, though using a user-provided param in that case is unsafe.
Raises UnsafeRedirectError in the case of an unsafe redirect.
redirect_to params[:redirect_url]
Here #redirect_to automatically validates the potentially-unsafe URL:
Note: this was a new default in Rails 7.0, after upgrading opt-in by uncommenting the line with +raise_on_open_redirects+ in config/initializers/new_framework_defaults_7_0.rb
By default, Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
=== Open Redirect protection
redirect_to post_url(@post) and return
To terminate the execution of the function immediately after the +redirect_to+, use return.
Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
redirect_to({ action: 'atom' }, alert: "Something serious happened")
redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
redirect_to post_url(@post), alert: "Watch it, mister!"
+alert+ and +notice+ as well as a general purpose +flash+ bucket.
It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names
redirect_to action: 'index', status: 303
redirect_to posts_url, status: :see_other
followed using a GET request.
around this you can return a 303 See Other status code which will be
method. This may lead to undesirable behavior such as a double DELETE. To work
request then some browsers will follow the redirect using the original request
If you are using XHR requests other than GET or POST and redirecting after the
Note that the status code must be a 3xx HTTP code, or redirection will not occur.
integer, or a symbol representing the downcased, underscored and symbolized description.
The status code can either be a standard {HTTP Status code}[https://www.iana.org/assignments/http-status-codes] as an
redirect_to action: 'atom', status: 302
redirect_to post_url(@post), status: 301
redirect_to action: 'atom', status: :moved_permanently
redirect_to post_url(@post), status: :found
The redirection happens as a 302 Found header unless otherwise specified using the :status option:
redirect_to proc { edit_post_url(@post) }
redirect_to posts_url
redirect_to "/images/screenshot.jpg"
redirect_to "http://www.rubyonrails.org"
redirect_to @post
redirect_to action: "show", id: 5
=== Examples:
* Proc - A block that will be executed in the controller's context. Should return any option accepted by +redirect_to+.
* String not containing a protocol - The current protocol and host is prepended to the string.
* String starting with protocol:// (like http://) or a protocol relative reference (like //) - Is passed straight through as the target for redirection.
* Record - The URL will be generated by calling url_for with the +options+, which will reference a named URL for that record.
* Hash - The URL will be generated by calling url_for with the +options+.
Redirects the browser to the target specified in +options+. This parameter can be any one of:
def redirect_to(options = {}, response_options = {}) raise ActionControllerError.new("Cannot redirect to nil!") unless options raise AbstractController::DoubleRenderError if response_body allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host } self.status = _extract_redirect_to_status(options, response_options) redirect_to_location = _compute_redirect_to_location(request, options) _ensure_url_is_http_header_safe(redirect_to_location) self.location = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host) self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>" end