icon sc-linkedin logo of codepen-icon logo of github-icon youtube play button

notes by Adam Sullovey

web & mobile application developer
practicing in Toronto, ON

307 HTTP status code?

Are you seeing 307 status codes in your network traffic inspector while debugging your site lately and feeling confused? Ask yourself:

Have I copied and pasted any code from https://cipherli.st into the web server’s configuration lately and accessed the site over HTTPS?

Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”

This line is probably responsible, and removing it from your server’s configuration files will not revert the change it makes to user’s browsers.

What’s it do?

It tells your browser to only communicate with the host over HTTPS which is a great idea if your website is ready for it. If you are seeing 307 redirects, your HTTPS site is still making HTTP requests to unsecure content and being inefficient.

  • every request (image, font, script, whatever) that goes through the redirect from HTTP to HTTPS slows down your site and clogs up your debugging tools with more traffic
  • AJAX requests to HTTP URLs fail entirely if your library treats 3xx redirects as errors (like jQuery)
  • if includeSubdomains is included in the header, then all present and future subdomains must support SSL too. Got a wildcard SSL certificate?

I wasn’t ready to change all the things to HTTPS. How do I undo this?

Don’t panic

caniuse points out that no versions of IE support this header, so chances are lots of the site’s users aren’t affected.

Change your HTTP headers again

Don’t drop the Strict-Transport-Security header. The rule is cached in users’ browsers, and it will stick there even if the header is gone. Change it to something like this:

Header always set Strict-Transport-Security "max-age=0"

The next time a Strict Transport Security-caching browser visits your site over HTTPS, it should dump the rule out of cache because that’s what the proposed spec says it should do. The redirects from HTTP to HTTPS will stop.

Note that browsers ignore this header on sites requested over HTTP. Make the change on HTTPS version of the site, or both versions, but not just HTTP.

Change your browser

Here’s a few other posts that describe how to clear the setting out of your browser.

More info

comments powered by Disqus