Toronto May 2015 JS Tech Talk Night

  • ever try fuzzing a compiler?
  • ever try generating random programs?
  • transpilers are fun
    • coffeescript lets write JS that you usually can’t write
    • babel lets you write JS the way we eventually all will
  • watch (or don’t watch) The Room

May Tech Talk and Rise of the Transpilers Panel

Thursday, May 21, 2015, 6:30 PM

Lighthouse Labs (HIGHLINE Office)
639 Queen St W Toronto, ON

74 Members Went

It looks like our last Tech Talk Night managed to warm up the city and you can all thank us for the awesome weather that we’ve been having! We have another hot event lined up for you this month with a JSConf speaker and a panel of JavaScript experts.We would like to thank Lighthouse Labs for sponsoring the event: Lighthouse Labs has reimagined th…

Check out this Meetup →

Toronto May 2015 JS Hack Night

People talked about and hacked Task Runners.

JS Hack Night

Tuesday, May 12, 2015, 6:30 PM

Bento Miso
862 Richmond Street West, Suite 100 Toronto, ON

80 Members Went

Hi everyone! For this JS Hack Night, we’ve partnered with Pearl Chen and Ahmad Nassri of YeomanTO to bring you a super exciting event dedicated to front end task runners and automated build processes! The joint event will be in the main area, but there will be a separate space for those regulars who just want to hack on things. Event description fo…

Check out this Meetup →

307 HTTP status code?

Are you seeing 307 status codes in your network traffic inspector while debugging your site lately and feeling confused? Ask yourself:

Have I copied and pasted any code from https://cipherli.st into the web server’s configuration lately and accessed the site over HTTPS?

Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”

This line is probably responsible, and removing it from your server’s configuration files will not revert the change it makes to user’s browsers.

What’s it do?

It tells your browser to only communicate with the host over HTTPS which is a great idea if your website is ready for it. If you are seeing 307 redirects, your HTTPS site is still making HTTP requests to unsecure content and being inefficient.

  • every request (image, font, script, whatever) that goes through the redirect from HTTP to HTTPS slows down your site and clogs up your debugging tools with more traffic
  • AJAX requests to HTTP URLs fail entirely if your library treats 3xx redirects as errors (like jQuery)
  • if includeSubdomains is included in the header, then all present and future subdomains must support SSL too. Got a wildcard SSL certificate?

I wasn’t ready to change all the things to HTTPS. How do I undo this?

Don’t panic

caniuse points out that no versions of IE support this header, so chances are lots of the site’s users aren’t affected.

Change your HTTP headers again

Don’t drop the Strict-Transport-Security header. The rule is cached in users’ browsers, and it will stick there even if the header is gone. Change it to something like this:

Header always set Strict-Transport-Security "max-age=0"

The next time a Strict Transport Security-caching browser visits your site over HTTPS, it should dump the rule out of cache because that’s what the proposed spec says it should do. The redirects from HTTP to HTTPS will stop.

Note that browsers ignore this header on sites requested over HTTP. Make the change on HTTPS version of the site, or both versions, but not just HTTP.

Change your browser

Here’s a few other posts that describe how to clear the setting out of your browser.

More info