Redirect Endpoint

How to use the redirect endpoint

goshs can serve HTTP 3xx redirects via a special URL query parameter. This is useful in penetration testing and CTF scenarios where you want to redirect a victim’s browser or server-side request to an arbitrary target — for example when testing open-redirect vulnerabilities or chaining SSRF attacks.

Triggering a redirect

Append ?redirect to any goshs URL and provide the target via ?url=:

http://<your-ip>:8000/?redirect&url=https://example.com

goshs will respond with an HTTP 302 redirect to https://example.com.

Choosing the status code

Use ?status= to select any 3xx response code (301, 302, 303, 307, 308, etc.). Defaults to 302 if omitted.

http://<your-ip>:8000/?redirect&url=https://example.com&status=301

Adding custom response headers

Zero or more ?header= values can be appended. Each value must be in Name: Value format:

http://<your-ip>:8000/?redirect&url=https://example.com&header=X-Custom: foo&header=Cache-Control: no-store

Full example

$ curl -v 'http://dns.hesec.de:8000/?redirect&url=https://example.com&status=301&header=X-Custom:%20foo'
* Host dns.hesec.de:8000 was resolved.
* IPv6: (none)
* IPv4: <redacted>
*   Trying <redacted>:8000...
* Connected to dns.hesec.de (redacted) port 8000
* using HTTP/1.x
> GET /?redirect&url=https://example.com&status=301&header=X-Custom:%20foo HTTP/1.1
> Host: dns.hesec.de:8000
> User-Agent: curl/8.14.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=utf-8
< Location: https://example.com
< Server: goshs/v2.0.0 (linux; go1.24.1)
< X-Custom: foo
< Date: Mon, 13 Apr 2026 12:17:01 GMT
< Content-Length: 54
< 
<a href="https://example.com">Moved Permanently</a>.

* Connection #0 to host dns.hesec.de left intact

Error handling

Condition	HTTP status
`?url=` parameter missing	400 Bad Request
`?status=` is not a 3xx code	400 Bad Request
Malformed `?header=` value (missing `:` )	400 Bad Request

Notes

The redirect endpoint is available on the standard HTTP/HTTPS port — no additional flag is needed to enable it.
Redirect events are logged and emitted as collaboration events (visible in verbose output).
Authentication and TLS settings apply to the redirect endpoint just as they do to all other goshs routes.