Redirect API and Rules as Code: CI/CD Workflows for Safer URL Changes
Redirect rules are production traffic configuration. Treat them like deployable assets: reviewed, validated, staged, published, monitored, and reversible.
Redirects usually start as small fixes. A product URL changes. A docs route moves. A marketing page is renamed. Someone adds a line to next.config.js, a Cloudflare rule, a CMS plugin, or an Nginx file.
That works for a handful of fixes. It breaks down when redirects become part of release operations.
Once the rule set covers old links, campaign URLs, partner traffic, API docs, app fallbacks, and migrated product pages, it is carrying real production risk. A bad rule can lose attribution, bury a high-value page, route support traffic to the wrong place, or turn a clean migration into a chain of surprises. That work should not be trapped in a spreadsheet, a one-off script, or a dashboard change that nobody can review.
Treat redirects as deployable configuration: rules live in code or structured data, CI validates them, staging proves behavior, production publishes a versioned snapshot, and rollback is ready before traffic moves.
Why redirects belong in the release workflow
Modern web teams already review infrastructure changes. They review environment variables, feature flags, database migrations, route handlers, and edge middleware. Redirects deserve the same treatment when they affect public URLs.
The weak workflow looks familiar:
- SEO keeps a redirect spreadsheet
- engineering copies rows into app config
- marketing changes campaign destinations in a separate tool
- a CMS plugin creates hidden redirects
- a CDN rule handles hostname cleanup
- nobody knows which layer fired when a report breaks
Rules as code gives the team a single artifact to review. The artifact might be YAML, JSON, Terraform, a generated CSV, or an internal API payload. The format matters less than the operating model.
A redirect rule needs more than source and target
Two fields can create a redirect. They cannot explain whether the redirect is safe.
Use a schema that captures intent:
{
"source": "/old-pricing",
"destination": "/pricing",
"status": 301,
"match": "exact",
"queryPolicy": "preserve_allowlist",
"preserveQuery": ["utm_source", "utm_medium", "utm_campaign", "gclid"],
"owner": "growth",
"reason": "pricing page consolidation",
"expiresAt": null
}For a migration or campaign system, add fields for priority, locale, country, device, tag, batch, review status, and fallback. The goal is not bureaucracy. The goal is to make the rule explainable before it reaches users.
| Field | Why it belongs in the contract |
|---|---|
status | 301/308 for permanent moves, 302/307 for temporary or campaign behavior |
match | Exact, wildcard, regex, host, query, header, or condition-based matching |
queryPolicy | Prevents UTM, click ID, coupon, or affiliate data from being lost |
owner | Gives support, SEO, marketing, and engineering a person or team to ask |
batch | Lets teams publish or roll back a migration group without touching everything |
expiresAt | Keeps temporary campaign rules from becoming permanent clutter |
Google's redirect guidance still starts with intent: how long the redirect should stay in place and which URL should appear in search. CI cannot choose that for you, but it can stop mismatched status codes and dangerous patterns from shipping silently.
API sync beats manual copy-paste
Redirects often originate outside the app repository. A headless CMS emits legacy slugs. An ecommerce catalog retires products. A docs platform changes paths. An SEO agency delivers a migration map. A partner portal needs branded links.
If every source becomes a manual import, rules drift.
A redirect API gives the team a cleaner boundary:
| Source | API behavior |
|---|---|
| CMS | Create or update redirects when slugs change, but require approval for high-traffic paths |
| Ecommerce catalog | Route discontinued products to replacements, categories, waitlists, or unavailable pages |
| Docs build | Publish old docs paths as part of a versioned docs release |
| Migration spreadsheet | Import a reviewed batch, validate it, and publish it as a snapshot |
| Internal tools | Let support or operations request a rule without granting CDN or server access |
Cloudflare exposes redirect creation through its Rulesets API. Next.js and Vercel support configuration-based redirects. Those are useful execution layers. The hard part for product teams is the governance layer around them: validation, ownership, staging, analytics, and rollback.
What CI should check before publish
A redirect CI job should test behavior, not just parse syntax.
Useful checks:
- duplicate source paths
- malformed destinations
- missing owner, reason, or status
- broad wildcard or regex rules that shadow exact rules
- permanent status on an expiring campaign
- destination 404, 410, 5xx, or unexpected redirect
- redirect chains longer than the team's threshold
- redirect loops
- dropped UTM, click ID, coupon, or partner parameters
- country, device, header, or query conditions without fallback
- rules that overlap another team's batch
For high-risk changes, run a sample request matrix in staging:
source=/old-pricing
country=US
device=desktop
query=?utm_source=google&gclid=test
expectedStatus=301
expectedDestination=/pricing?utm_source=google&gclid=testThis is where redirect work starts to feel like software delivery instead of spreadsheet maintenance.
Staging should show the final route
A staging environment for redirects should answer a plain question: if this URL receives this request context, what will happen in production?
Show:
- matched rule
- status code
- final destination
- query handling
- condition result
- competing rules
- chain length
- owner and batch
- diff from the currently published snapshot
GitHub Actions environments can require reviewers before a deployment job continues. The same pattern works for redirects: CI validates the rule set, staging produces evidence, and production publish waits for the right owner to approve.
Rollback is a product requirement
Redirect rollback should not mean redeploying the origin app at 2 a.m.
Keep published snapshots. Tag imported batches. Separate temporary campaign rules from permanent migration rules. Make emergency overrides visible instead of burying them in the CDN or app middleware.
Rollback patterns:
| Problem | Safer response |
|---|---|
| Bad migration batch | Disable or roll back that batch |
| One high-value page wrong | Add a higher-priority exact rule |
| Campaign destination down | Switch to fallback with a temporary status |
| Regex captured too much | Pause the pattern and publish explicit exceptions |
| Query policy broke analytics | Restore prior query handling and retest campaign URLs |
If a redirect rule can affect search, paid traffic, support links, or revenue, rollback is part of the feature.
Where UrlEdge fits
UrlEdge is built for teams that want redirect changes to move through a controlled workflow without turning every URL change into an origin deploy.
Relevant product surfaces:
- API for programmatic domains, rules, publishing, and automation
- Redirect Management for rule ownership, analytics, snapshots, and rollback
- Bulk URL Management for migration maps and large imports
- Advanced Redirect Rules for wildcard, regex, query, and conditional routing
- Redirect Checker for route QA and status-code checks
- Collaboration when SEO, marketing, platform, and agency teams share approval
Use app config for small redirects that belong to the application. Use CDN rules for simple network-owned normalization. Use a redirect API and rules-as-code workflow when the rule set needs review, evidence, automation, and fast recovery.
FAQ
What does "redirect rules as code" mean?
It means redirect rules are stored in a structured, reviewable format and moved through validation, staging, publishing, and rollback like other production configuration.
Should redirects live in Git?
Some should. Git works well for stable, reviewed rules and migration artifacts. API-driven sync works better when redirects come from a CMS, ecommerce catalog, partner tool, or internal operations workflow. Many teams need both.
Can CI/CD publish redirects directly?
Yes, if the workflow includes validation, staging evidence, permissions, approval for risky changes, and rollback. A direct publish without those controls is just a faster way to ship routing mistakes.
Is this only for developers?
No. Developers usually build the workflow, but SEO, growth, ecommerce, support, and agencies benefit because redirect ownership becomes visible and reversible.
References
Automate redirect publishing with the API
Create, validate, publish, monitor, and roll back redirect rules from your deployment workflow.
Explore the APIRelated Articles
View all
Geo Redirects for Ecommerce Localization: Country Stores, Currency, Language, and SEO-Safe Fallbacks
Geo redirects can help shoppers reach the right regional store, but they can also hide pages from users and crawlers if the routing policy is too aggressive.
Branded Campaign Links with UTMs, QR Codes, and Partner Traffic
A campaign link has to stay readable in public, preserve attribution in analytics, and remain editable after it has been printed, posted, or handed to a partner.