Redirection using HTTP meta tag

Question

I've created a small project, where I scan a 1000+ sites for TLS implementation, including

• Does a https site exist
• Does the site redirect from http to https
• Various other info about the cert

Surprisingly, when I first ran the scan, a lot of sites were NOT redirecting users to https, even though the a https site existed (what a waste!), but gradually most of them begun redirecting users.

My question is on the redirection method. I feel redirection via HTTP Status code (i.e. server responds with a 301 status code, with the url of the https site) is the best way. I also feel that Javascript redirects are a no-no, and should be avoided.

But I recently discovered that you're able to redirect using a HTML meta-tag, this is stil a client-side redirect, but one that doesn't require javascript. To me this looks like an OK thing to do, especially if you have no ability to modify configurations on Apache/NGINX etc.

Obviously this is slightly less efficient that HTTP Status codes (since the site needs to fully load before redirection), but looks like a reasonable way to implement a redirect -- especially if the original http site is left empty.

Are there any security considerations around HTML Meta Tag redirects? And should I start marking meta-tag redirects as 'good'?

Answer 1

Only browsers (which interpret the HTML) will follow http-meta refresh tags and usually also only browsers will follow Refresh headers in the HTTP response header.

I have no idea why you consider Javascript based redirects a no-no. But if the reason is that it will only work in browsers then you should treat http-meta refresh tags in a similar way.

And should I start marking meta-tag redirects as 'good'?

Since you don't explain what you consider 'good' in the first place it is impossible to say if redirects using http-meta fit your idea of 'good'.