Skip to main content

Netlify Redirects Cheatsheet - _redirects, netlify.toml, Rewrites, Proxy, SPA, Splats

Netlify _redirects and netlify.toml cheatsheet for rewrites, proxies, SPA fallbacks, splats, status codes, and country/language rules.

  • Runs locally
  • Category Developer & DevOps
  • Best for Checking file type, size, metadata, and obvious mismatch signals before sharing.
Section:
55 entries

Paste your _redirects file or netlify.toml redirects to parse each rule and catch shadowed rules, bad statuses, and splat mistakes. Search above works without any pasted input.

Basics (7)
_redirects file (publish directory root)

Plain-text rules file. It must end up in the PUBLISH directory after the build (e.g. `dist/`, `build/`, `public/` output), not just in the repo root.

Watch out: Most "rule not firing" reports are a build that never copies _redirects into the publish directory.

Examples
# public/_redirects (Vite / CRA copy public/ verbatim)
/old-page  /new-page  301
/from [params] /to [status][!] [conditions]

One rule per line: origin path, optional query-param matchers, destination, optional status code (default 301), optional force `!`, optional Country/Language/Role conditions.

Examples
/old  /new
/store  id=:id  /blog/:id  301
/admin/*  /login  302!  Role=admin
# comment lines

Lines starting with `#` are ignored. Use them to group sections — redirect files grow fast on real sites.

Examples
# --- marketing pages ---
/pricing-old  /pricing  301
default status = 301

Omitting the status code makes the rule a 301 permanent redirect. Be deliberate: browsers and Google cache 301s aggressively.

Watch out: Use 302 while you are still testing a rule; switch to 301 once it is final.

Examples
/old  /new        # implicit 301
/old  /new  302   # explicit temporary
first match wins (top to bottom)

Rules are evaluated in file order and evaluation stops at the first match. Put specific rules above broad ones.

Watch out: A `/*` rule anywhere but the last line disables everything below it.

Examples
/api/*  https://api.example.com/:splat  200
/*      /index.html  200
/path https://elsewhere.com/path

Destinations can be absolute URLs on any domain. With 301/302 the browser is sent there; with 200 Netlify proxies the response instead.

Examples
/docs  https://docs.example.com  301
/api/*  https://api.example.com/:splat  200
trailing slashes are normalized

Netlify treats `/about` and `/about/` as the same route for matching, so you do not need duplicate rules for both spellings.

Examples
/about  /company  301   # also matches /about/
Status codes (7)
301 — permanent redirect

The URL moved for good. Search engines transfer ranking signals to the target; browsers cache it.

Examples
/2019-pricing  /pricing  301
302 — temporary redirect

The move is temporary. Nothing is cached long-term and search engines keep indexing the original URL.

Examples
/black-friday  /deals/2026  302
200 — rewrite (URL unchanged)

Serve the destination content while the browser URL stays on the origin path. This is what powers SPA fallbacks and API proxying.

Watch out: 200 rewrites also preserve the request method and body — the only status that does.

Examples
/*  /index.html  200
/api/*  https://api.example.com/:splat  200
404 — custom not-found content

Serve specific content with a 404 code. Useful for retired sections that should show an explanation instead of the generic 404 page.

Examples
/store/*  /store-closed.html  404
410 — gone

Tells crawlers the content was removed on purpose and will not come back, which de-indexes faster than 404.

Examples
/blog/deleted-post  /gone.html  410
451 — unavailable for legal reasons

Reserved for content blocked by legal requirements, often combined with Country conditions.

Examples
/casino/*  /unavailable.html  451  Country=de
! — force flag (beat shadowing)

By default a rule loses to a real file at the same path. Appending `!` to the status makes the rule win even when the file exists.

Watch out: A forced `/* ... 200!` fallback also swallows your JS and CSS assets — almost never what you want.

Examples
/old-file.html  /new-file.html  301!
Splats (5)
/* → :splat

A trailing `*` in the source captures the rest of the path; `:splat` in the target inserts it. The standard way to move whole sections.

Examples
/news/*  /blog/:splat  301
* must be the last path segment

Only one splat is allowed and it must sit at the end of the source path. `/a/*/b` is not a valid Netlify pattern.

Examples
/downloads/*  /files/:splat  301
/:segment placeholders

A `:name` matches exactly one path segment and can be reused (and reordered) in the target.

Examples
/news/:year/:month/:slug  /blog/:year-:month/:slug  301
:name vs :splat

Placeholders match one segment; the splat matches everything remaining including further slashes. Use placeholders when structure matters.

Watch out: `:splat` in the target is only filled when the source has `*` — otherwise the rule never expands.

Examples
/docs/:lang/*  /:lang/docs/:splat  301
capture but drop the tail

Match a whole subtree but send everyone to one page: use `*` in the source and simply omit `:splat` in the target.

Examples
/legacy/*  /  301
/promo-2024/*  /promotions  302
SPA (4)
/* /index.html 200

The single-page-app fallback: every unknown path serves index.html with a 200 so client-side routing handles it, and deep links survive refresh.

Examples
/*  /index.html  200
SPA fallback must be the LAST rule

First match wins, so the catch-all has to sit at the bottom. Anything written after it can never fire.

Examples
/api/*  /.netlify/functions/api/:splat  200
/*      /index.html  200
why the fallback does not break assets

Without `!`, shadowing lets real files win: `/main.js` exists, so it is served directly and never hits the `/*` rule.

Examples
/*  /index.html  200   # bundles/images still served normally
keep API routes out of the fallback

Proxy or function rules must appear above the SPA fallback, otherwise API calls to unknown paths return index.html with a confusing 200.

Watch out: An API client receiving HTML where it expects JSON is the classic symptom of this ordering bug.

Examples
/api/*  https://api.example.com/:splat  200
/*      /index.html  200
Proxy (5)
/api/* https://api.example.com/:splat 200

Status 200 plus an absolute target = reverse proxy. The browser talks only to your domain; Netlify fetches from the upstream and streams the response back.

Examples
/api/*  https://api.example.com/v2/:splat  200
proxying kills CORS problems

Because the request never leaves your origin from the browser's point of view, no CORS headers or preflights are involved at all.

Examples
/weather/*  https://api.openweathermap.org/:splat  200
pretty URLs for Netlify Functions

Rewrite a clean path onto the functions endpoint so clients never hard-code `/.netlify/functions/`.

Examples
/api/*  /.netlify/functions/:splat  200
signed proxy redirects (netlify.toml)

Set `signed = "MY_SECRET_ENV"` on a proxy rule and Netlify adds a JWT the upstream can verify, proving the request came through your proxy.

Examples
[[redirects]]
  from = "/api/*"
  to = "https://api.example.com/:splat"
  status = 200
  signed = "API_SIGNATURE_TOKEN"
custom headers on proxied requests

In netlify.toml a proxy rule can attach headers to the upstream request — handy for API keys that must not ship to the browser.

Watch out: Headers set here go to the origin only; they are not response headers for the visitor.

Examples
[[redirects]]
  from = "/search/*"
  to = "https://api.example.com/:splat"
  status = 200
  headers = {X-From = "Netlify"}
Domains (4)
apex ↔ www handled automatically

Netlify auto-redirects all site aliases to the primary custom domain (including apex vs www), so you rarely write those rules yourself.

Examples
# set the primary domain in Site settings → Domain management
https://old.example.com/* → new domain

Full-domain migration keeping deep links: absolute URL in the source, `:splat` in the target, force flag on.

Watch out: The old domain must be attached to this Netlify site (domain alias) or the rule never sees its traffic.

Examples
https://old.example.com/*  https://www.example.com/:splat  301!
route one subdomain into a path

Fold a legacy subdomain into a path on the main site while preserving the remainder of each URL.

Examples
https://blog.example.com/*  https://www.example.com/blog/:splat  301!
http → https

Netlify serves HTTPS and redirects HTTP automatically once a certificate exists — no manual rule needed.

Examples
# automatic — verify the certificate under Domain management → HTTPS
Query params (4)
/store id=:id /blog/:id 301

Match a query parameter and reuse its value in the target path. The classic pattern for retiring `?id=`-style URLs.

Examples
/store  id=:id  /blog/:id  301
match a fixed parameter value

A literal `key=value` matcher only fires when that exact pair is present in the request.

Examples
/search  source=newsletter  /landing/newsletter  302
all listed params must be present

Multiple matchers AND together: a request missing any of them falls through to the next rule.

Watch out: There is no OR — write one rule per alternative parameter combination.

Examples
/report  year=:y  month=:m  /reports/:y/:m  301
query strings are forwarded by default

A plain redirect carries the original query string along to the destination automatically; you do not restate it.

Examples
/old  /new  301   # /old?a=1 → /new?a=1
Conditions (5)
Country=us,ca

Geo-based routing by ISO 3166 country codes, comma-separated. Great for regional storefronts and legal blocks.

Examples
/  /us/  302  Country=us
/  /anz/  302  Country=au,nz
Language=en,es

Route by the browser Accept-Language header. Combine with a 302 so users can still navigate to other locales manually.

Examples
/  /zh/  302  Language=zh
/docs/*  /es/docs/:splat  302  Language=es
Role=admin (JWT / Identity)

Gate paths by roles carried in a Netlify Identity / JWT cookie. Requires the role-based access control feature on paid plans.

Examples
/admin/*  /admin/:splat  200  Role=admin
/admin/*  /login  302
nf_country / nf_lang test cookies

Set the `nf_country` or `nf_lang` cookie in your browser to override geo detection while testing conditional rules.

Examples
document.cookie = 'nf_country=de'   # then reload
always pair conditions with a fallback

Conditional rules only cover listed audiences. Add an unconditional rule after them so everyone else has a defined destination.

Examples
/  /us/  302  Country=us
/  /global/  302
netlify.toml (4)
[[redirects]] block

The netlify.toml equivalent of one `_redirects` line. Repeat the double-bracket block once per rule; order in the file still matters.

Examples
[[redirects]]
  from = "/old"
  to = "/new"
  status = 301
force = true

The toml spelling of the `!` flag: apply the rule even when a real file exists at the origin path.

Examples
[[redirects]]
  from = "/old.html"
  to = "/new.html"
  status = 301
  force = true
query = {} and conditions = {}

Query matchers and audience conditions become inline tables, with condition values as arrays.

Examples
[[redirects]]
  from = "/store"
  to = "/blog/:id"
  status = 301
  query = {id = ":id"}
  conditions = {Country = ["us", "ca"]}
_redirects is processed before netlify.toml

When both formats exist, every `_redirects` rule is evaluated first. A matching line there wins over any toml block.

Watch out: Keep all rules in ONE format. Split rule sets are the second most common "why is my rule ignored" cause.

Examples
# pick one: public/_redirects OR netlify.toml [[redirects]]
Troubleshoot (6)
deploy log: "X redirect rules processed"

The deploy summary reports how many rules parsed. Invalid lines are skipped silently — if the count is lower than expected, a rule is malformed.

Examples
# Deploy summary → "42 redirect rules processed"
rule ignored? check shadowing first

If a real file exists at the origin path, an unforced rule never fires. Either remove/rename the file or add `!` to the status.

Examples
/index.html  /welcome  301!   # beats the real index.html
rule ignored? check what is above it

Scan upward for an earlier rule (often a catch-all) that matches the same request. The analyzer on this page flags exactly this.

Examples
/*  /index.html  200
/old  /new  301   # dead: never reached
netlify dev — test rules locally

The Netlify CLI replays your redirect rules on localhost, so you can verify matching before pushing a deploy.

Examples
npm i -g netlify-cli
netlify dev
curl -sI localhost:8888/old-page | grep -i location
curl -sIL — inspect the live chain

Follow the actual redirect chain in production and see every hop, status code, and final target.

Examples
curl -sIL https://example.com/old-page | grep -iE "^(HTTP|location)"
stale 301 cached by the browser

Browsers cache 301s hard. When testing changed rules, use a private window or curl — otherwise you are debugging the cache, not Netlify.

Examples
curl -sI https://example.com/old-page   # bypasses browser cache
Templates (4)
SPA + API proxy starter

The most common production file: functions proxy first, external API proxy second, SPA fallback last.

Examples
/api/*      /.netlify/functions/:splat        200
/upstream/* https://api.example.com/:splat  200
/*          /index.html                     200
domain migration block

Move a whole legacy domain: forced, permanent, splat-preserving.

Examples
https://old.example.com/*   https://www.example.com/:splat  301!
http://old.example.com/*    https://www.example.com/:splat  301!
country routing with fallback

Regional entry points plus a defined default for everyone else.

Examples
/   /us/      302  Country=us
/   /eu/      302  Country=de,fr,es,it,nl
/   /global/  302
retire a section cleanly

Deleted content: 410 for crawlers, one human-readable explanation page.

Examples
/forum/*   /forum-closed.html  410
/wiki/*    /docs/:splat        301

What this tool does

Searchable Netlify redirects cheatsheet for the rules you actually write: the `_redirects` file format, `netlify.toml` [[redirects]] blocks, 301 vs 302 vs 200 rewrites, the force `!` flag and shadowing, splats and `:splat`, named placeholders, SPA fallbacks (`/* /index.html 200`), API proxying to avoid CORS, query-parameter matching, country / language / role conditions, custom 404 and 410 rules, and the debugging paths for "my rule is not firing". The tool is fully local: search the reference, filter by section, paste a `_redirects` file or a netlify.toml snippet to parse each rule and catch known mistakes — catch-all rules that shadow everything below them, `:splat` without a `*`, placeholders that never match, invalid status codes, and self-redirect loops — then copy the exact rule you need.

Tool details

Input
Text + Numbers
The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output
Live result + Copy
The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy
Browser-side processing
The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share
Shareable URL state
Key settings are encoded in the URL so another person can reopen the same setup.
Performance budget
Initial JS <= 32 KB
No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit
Developer & DevOps · Developer
Category and role tags drive related tools, internal links, and quick fit checks.

How to use

  1. 1. Input

    Paste or drop your content into the tool panel.

  2. 2. Process

    Click the button. All processing is local in your browser.

  3. 3. Copy / Download

    Copy the result or download to disk in one click.

How Netlify Redirects Cheatsheet fits into your work

Use it before upload, handoff, archive, support review, or any moment where a file needs one local check before it leaves your machine.

File jobs

  • Checking file type, size, metadata, and obvious mismatch signals before sharing.
  • Preparing mixed folders for upload, archive, intake, or review.
  • Keeping sensitive files in the browser instead of sending them to an account-based service.

File checks

  • Do not treat the extension alone as proof of the real file type.
  • Review metadata before a file goes to customers, vendors, or a public page.
  • Keep the original file until the copied, converted, or exported result is verified.

Good next steps

These links move the current task into a more complete workflow.

  1. 1 Nginx Cheatsheet Nginx cheat sheet — common configs, location/server blocks, SSL, reverse proxy, gzip, real examples & gotchas. Open
  2. 2 Apache Cheatsheet Apache HTTP Server cheatsheet for httpd.conf, VirtualHost, .htaccess, mod_rewrite, SSL, proxying, auth, headers, and logs. Open
  3. 3 Cloudflare DNS Cheatsheet Cloudflare DNS cheat sheet with proxy rules, TTL notes, CNAME flattening, mail records, and a local record checker Open

Real-world use cases

  • Ship an SPA and an API proxy on the same site

    Filter to SPA and Proxy, copy the `/api/*` proxy rule and the `/* /index.html 200` fallback, and paste your final file into the analyzer. It confirms the proxy rule sits above the catch-all and warns immediately if the fallback would shadow it.

  • Migrate an old domain without losing deep links

    Search "domain" and copy the `https://old.example.com/* https://www.example.com/:splat 301!` template. The notes explain why the old domain must be added as a domain alias and why the force flag matters on migration rules.

  • Debug a rule that works locally but not in production

    Paste the deployed `_redirects` content into the analyzer. Typical findings: a typo like `:splat` without `*`, a rule swallowed by an earlier catch-all, or an invalid status code that Netlify skipped silently — the deploy log only tells you the count of processed rules.

Common pitfalls

  • Putting `/* /index.html 200` above other rules disables every rule below it — first match wins, so the SPA fallback must be the last line.

  • Writing `:splat` in the target without a `*` in the source produces a rule that never expands; the placeholder is only filled by a splat match.

  • Forgetting `!` on migration rules means any real file at the old path silently wins over the redirect — shadowing is on by default.

Privacy

Redirect files often contain internal hostnames and upstream API endpoints, so the paste-in analyzer is deliberately local-only and not synced into URL state. Search terms and category filters are shareable; pasted rules never leave the tab.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Made by Toolora · 100% client-side · Updated 2026-07-02