Why Form Data is Dropped on Redirects

Flask enforces canonical URLs to ensure that each resource is accessible via a single, consistent path. A common side effect of this design is the "trailing slash redirect." While this is usually transparent, it can lead to silent data loss when performing POST requests if the client hits the non-canonical URL. To prevent this during development, Flask implements a specific debug-mode safeguard.

The Trailing Slash Mechanism

In Flask, a route defined with a trailing slash (e.g., @app.route("/user/")) is treated as the "canonical" URL. If a user accesses /user (without the slash), Flask's routing system—powered by Werkzeug—automatically issues a redirect to /user/.

Historically, HTTP redirects using status codes like 301 Moved Permanently or 302 Found allowed browsers to change the request method from POST to GET when following the redirect, effectively dropping the request body (form data). While modern standards introduced 307 Temporary Redirect and 308 Permanent Redirect to explicitly preserve the method and body, older configurations or manual overrides can still trigger the data-dropping behavior.

Debugging Data Loss with FormDataRoutingRedirect

To help developers identify why their form data might be disappearing, Flask provides the FormDataRoutingRedirect exception. This class, located in src/flask/debughelpers.py, is an AssertionError designed to provide a clear, actionable error message when a routing redirect is about to cause data loss.

class FormDataRoutingRedirect(AssertionError):
    """This exception is raised in debug mode if a routing redirect
    would cause the browser to drop the method or body.
    """

    def __init__(self, request: Request) -> None:
        exc = request.routing_exception
        assert isinstance(exc, RequestRedirect)
        buf = [
            f"A request was sent to '{request.url}', but routing issued"
            f" a redirect to the canonical URL '{exc.new_url}'."
        ]

        if f"{request.base_url}/" == exc.new_url.partition("?")[0]:
            buf.append(
                " The URL was defined with a trailing slash. Flask"
                " will redirect to the URL with a trailing slash if it"
                " was accessed without one."
            )

        buf.append(
            " Send requests to the canonical URL, or use 307 or 308 for"
            " routing redirects. Otherwise, browsers will drop form"
            " data.\n\n"
            "This exception is only raised in debug mode."
        )
        super().__init__("".join(buf))

How Flask Intercepts Redirects

The logic for raising this exception resides in the raise_routing_exception method within src/flask/app.py. Flask evaluates the incoming request and the pending redirect against several criteria before deciding whether to allow the redirect or raise the debug error.

The exception is triggered only when all of the following conditions are met:

The application is in Debug Mode (self.debug is True).
The routing exception is a RequestRedirect.
The redirect status code is not 307 or 308 (the codes that preserve the request body).
The request method is not GET, HEAD, or OPTIONS (methods that typically do not have a body).

# From src/flask/app.py
def raise_routing_exception(self, request: Request) -> t.NoReturn:
    if (
        not self.debug
        or not isinstance(request.routing_exception, RequestRedirect)
        or request.routing_exception.code in {307, 308}
        or request.method in {"GET", "HEAD", "OPTIONS"}
    ):
        raise request.routing_exception

    from .debughelpers import FormDataRoutingRedirect
    raise FormDataRoutingRedirect(request)

Tradeoffs and Design Decisions

Debug-Only Enforcement

This check is strictly limited to debug mode. In a production environment, Flask prioritizes application availability and follows the configured redirect behavior. If a production app is misconfigured to use 301 redirects for POST requests, the data will be lost silently. This design choice ensures that the production environment does not crash due to routing inconsistencies, while the development environment forces the developer to fix the underlying issue.

Modern Defaults

Modern versions of Werkzeug (the library Flask uses for routing) default to 308 redirects for trailing slash corrections. As noted in the raise_routing_exception docstring, this error is less common in modern setups because 308 explicitly instructs the browser to resend the original method and body to the new URL.

Resolution Strategies

When encountering this error, developers have two primary solutions:

Use Canonical URLs: Update the client (e.g., an HTML form action or an API call) to point directly to the canonical URL (e.g., /user/ instead of /user).
Use Body-Preserving Redirects: Ensure that any manual redirects or custom routing rules use status code 307 or 308 if the request method and body must be maintained.

This mechanism serves as a critical "fail-fast" tool, preventing subtle bugs where form submissions appear to succeed but arrive at the server with empty data.

The Trailing Slash Mechanism​

Debugging Data Loss with FormDataRoutingRedirect​

How Flask Intercepts Redirects​

Tradeoffs and Design Decisions​

Debug-Only Enforcement​

Modern Defaults​

Resolution Strategies​