May 5, 2015

307 HTTP status code?

Are you seeing 307 status codes in your network traffic inspector while debugging your site lately and feeling confused? Ask yourself:

Have I copied and pasted any code from https://cipherli.st into the web server’s configuration lately and accessed the site over HTTPS?

Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”

This line is probably responsible, and removing it from your server’s configuration files will not revert the change it makes to user’s browsers.

What’s it do?

It tells your browser to only communicate with the host over HTTPS which is a great idea if your website is ready for it. If you are seeing 307 redirects, your HTTPS site is still making HTTP requests to unsecure content and being inefficient.

I wasn’t ready to change all the things to HTTPS. How do I undo this?

Don’t panic

caniuse points out that no versions of IE support this header, so chances are lots of the site’s users aren’t affected.

Change your HTTP headers again

Don’t drop the Strict-Transport-Security header. The rule is cached in users’ browsers, and it will stick there even if the header is gone. Change it to something like this:

Header always set Strict-Transport-Security "max-age=0"

The next time a Strict Transport Security-caching browser visits your site over HTTPS, it should dump the rule out of cache because that’s what the proposed spec says it should do. The redirects from HTTP to HTTPS will stop.

Note that browsers ignore this header on sites requested over HTTP. Make the change on HTTPS version of the site, or both versions, but not just HTTP.

Change your browser

Here’s a few other posts that describe how to clear the setting out of your browser.

More info