edge badge
Skip to Content Skip to Search
Included Modules

Instance Public methods

_compute_safe_redirect_to_location(request, options, response_options)

# File actionpack/lib/action_controller/metal/redirecting.rb, line 113
    def _compute_safe_redirect_to_location(request, options, response_options)
      location = _compute_redirect_to_location(request, options)

      if response_options[:allow_other_host] || _url_host_allowed?(location)
        raise(ArgumentError, <<~MSG.squish)
          Unsafe redirect #{location.truncate(100).inspect},
          use :allow_other_host to redirect anyway.

redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)

Soft deprecated alias for redirect_back_or_to where the fallback_location location is supplied as a keyword argument instead of the first positional argument.

# File actionpack/lib/action_controller/metal/redirecting.rb, line 79
def redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)
  redirect_back_or_to fallback_location, allow_other_host: allow_other_host, **args

redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)

Redirects the browser to the page that issued the request (the referrer) if possible, otherwise redirects to the provided default fallback location.

The referrer information is pulled from the HTTP Referer (sic) header on the request. This is an optional header and its presence on the request is subject to browser security settings and user preferences. If the request is missing this header, the fallback_location will be used.

redirect_back_or_to({ action: "show", id: 5 })
redirect_back_or_to @post
redirect_back_or_to "http://www.rubyonrails.org"
redirect_back_or_to "/images/screenshot.jpg"
redirect_back_or_to posts_url
redirect_back_or_to proc { edit_post_url(@post) }
redirect_back_or_to '/', allow_other_host: false


  • :allow_other_host - Allow or disallow redirection to the host that is different to the current host, defaults to true.

All other options that can be passed to redirect_to are accepted as options and the behavior is identical.

# File actionpack/lib/action_controller/metal/redirecting.rb, line 105
def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
  location = request.referer || fallback_location
  location = fallback_location unless allow_other_host || _url_host_allowed?(request.referer)
  allow_other_host = true if _allow_other_host && !allow_other_host # if the fallback is an open redirect

  redirect_to location, allow_other_host: allow_other_host, **options

redirect_to(options = {}, response_options = {})

Redirects the browser to the target specified in options. This parameter can be any one of:

  • Hash - The URL will be generated by calling url_for with the options.

  • Record - The URL will be generated by calling url_for with the options, which will reference a named URL for that record.

  • String starting with protocol:// (like http://) or a protocol relative reference (like //) - Is passed straight through as the target for redirection.

  • String not containing a protocol - The current protocol and host is prepended to the string.

  • Proc - A block that will be executed in the controller's context. Should return any option accepted by redirect_to.


redirect_to action: "show", id: 5
redirect_to @post
redirect_to "http://www.rubyonrails.org"
redirect_to "/images/screenshot.jpg"
redirect_to posts_url
redirect_to proc { edit_post_url(@post) }

The redirection happens as a 302 Found header unless otherwise specified using the :status option:

redirect_to post_url(@post), status: :found
redirect_to action: 'atom', status: :moved_permanently
redirect_to post_url(@post), status: 301
redirect_to action: 'atom', status: 302

The status code can either be a standard HTTP Status code as an integer, or a symbol representing the downcased, underscored and symbolized description. Note that the status code must be a 3xx HTTP code, or redirection will not occur.

If you are using XHR requests other than GET or POST and redirecting after the request then some browsers will follow the redirect using the original request method. This may lead to undesirable behavior such as a double DELETE. To work around this you can return a 303 See Other status code which will be followed using a GET request.

redirect_to posts_url, status: :see_other
redirect_to action: 'index', status: 303

It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names alert and notice as well as a general purpose flash bucket.

redirect_to post_url(@post), alert: "Watch it, mister!"
redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
redirect_to({ action: 'atom' }, alert: "Something serious happened")

Statements after redirect_to in our controller get executed, so redirect_to doesn't stop the execution of the function. To terminate the execution of the function immediately after the redirect_to, use return.

redirect_to post_url(@post) and return

Passing user input directly into redirect_to is considered dangerous (e.g. `redirect_to(params)`). Always use regular expressions or a permitted list when redirecting to a user specified location.

# File actionpack/lib/action_controller/metal/redirecting.rb, line 66
def redirect_to(options = {}, response_options = {})
  response_options[:allow_other_host] ||= _allow_other_host unless response_options.key?(:allow_other_host)

  raise ActionControllerError.new("Cannot redirect to nil!") unless options
  raise AbstractController::DoubleRenderError if response_body

  self.status        = _extract_redirect_to_status(options, response_options)
  self.location      = _compute_safe_redirect_to_location(request, options, response_options)
  self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"