May 05, 2015
Are you seeing 307 status codes in your network traffic inspector while debugging your site lately and feeling confused? Ask yourself:
Have I copied and pasted any code from https://cipherli.st into the web server’s configuration lately and accessed the site over HTTPS?
This line is probably responsible, and removing it from your server’s configuration files will not revert the change it makes to user’s browsers.
It tells your browser to only communicate with the host over HTTPS which is a great idea if your website is ready for it. If you are seeing 307 redirects, your HTTPS site is still making HTTP requests to unsecure content and being inefficient.
includeSubdomainsis included in the header, then all present and future subdomains must support SSL too. Got a wildcard SSL certificate?
caniuse points out that no versions of IE support this header, so chances are lots of the site’s users aren’t affected.
Don’t drop the
Strict-Transport-Security header. The rule is cached in users’ browsers, and it will stick there even if the header is gone. Change it to something like this:
Header always set Strict-Transport-Security "max-age=0"
The next time a Strict Transport Security-caching browser visits your site over HTTPS, it should dump the rule out of cache because that’s what the proposed spec says it should do. The redirects from HTTP to HTTPS will stop.
Note that browsers ignore this header on sites requested over HTTP. Make the change on HTTPS version of the site, or both versions, but not just HTTP.
Here’s a few other posts that describe how to clear the setting out of your browser.