HTTP 307 Temporary Redirect Status Code
Over 40 server status codes are defined in the HTTP protocol, nine of which are specifically for URL redirections. Each redirect status code (HTTP 3xx) begins with the number 3 and has its own manner of processing redirections. While some of them are identical, they all approach the redirections in different ways.
To identify or correct website setup mistakes, you must first understand how each HTTP redirect status code works.
In this article, we’ll go over the meaning of the HTTP 307 Temporary Redirect and 307 Internal Redirect status codes, as well as how they differ from other 3xx redirect status codes.
Let’s get this party started!
Contents Table of Contents
What is an HTTP 307 Temporary Redirect?
What is HTTP 3xx Redirection and How Does It Work?
Different HTTP 3xx Redirections
Temporary Redirects: 302 vs. 303 vs. 307
Internal HTTP 307 Redirect for HTTPS-Only Sites
SEO and HTTP 307 Redirects
What is a Temporary HTTP 307 Redirect?
The 307 Temporary Redirect is defined by the Internet Engineering Task Force (IETF) as follows:
The 307 (Temporary Redirect) status code indicates that the target resource is temporarily located under a different URI, and that the user agent MUST NOT alter the request method if an automatic redirection to that URI is performed. Because the redirection may change in the future, the client should continue to use the original effective request URI for subsequent requests.
How does HTTP 3xx Redirection Work?
Let’s have a look at how HTTP redirection works before we get into the 307 Temporary Redirect and 307 Internal Redirect answers.
HTTP status codes are the server’s answers to the browser. Every status code is a three-digit number with the first digit indicating the answer type. A redirection is implied by the HTTP 3xx status codes. They instruct the browser to redirect to a new URL specified in the server’s response’s Location header.
An infographic depicting the process of HTTP 3xx status code redirection.
Redirections to HTTP 3xx at work
When your browser receives a redirection request from the server, it must first determine what type of request it is. These requests are handled by the various HTTP 3xx redirect status codes. Understanding 307 Temporary Redirect and 307 Internal Redirect will be easier if we know all of them.
The Various HTTP 3xx Redirections
HTTP 3xx redirect status codes come in a variety of forms. The 307 Temporary Redirect and 308 Permanent Redirect responsibilities were supposed to be covered by 301 Moved Permanently and 302 Found, respectively, in the original HTTP standard.
Despite the fact that the HTTP specification does not allow it, most clients altered the HTTP request method for 301 and 302 redirect answers from POST to GET. Because to this behavior, the HTTP/1.1 update included the stricter 307 Temporary Redirect and 308 Permanent Redirect status codes.
The HTTP 307 Internal Redirect response is a subset of the status code 307 Temporary Redirect. It is a local browser implementation that is not defined by the HTTP standard. We’ll go over everything in further depth later.
While some redirect status codes, such as 301 and 308, are cached, others, such as 302 and 307, are not. By adding a Cache-Control or Expires response header field to all redirect responses, you can make them cacheable (or not).
A flowchart depicting the many forms of HTTP redirection.
HTTP redirects aren’t difficult to set up.
Temporary Redirects: 302 vs. 303 vs. 307
You have three possibilities for temporary redirection, as shown in the table above: 302, 303, or 307. Most clients, on the other hand, interpret a 302 status code as a 303 answer and switch the HTTP request method to GET. From a security sense, this isn’t ideal.
“The client is not authorized to change the method on a redirected request, according to RFC 1945 and RFC 2068. Regardless of the initial request type, most existing user agent implementations treat 302 as if it were a 303 response, performing a GET on the Location field-value. The status codes 303 and 307 have been added for servers who want to make it very obvious what kind of response the client should expect.”
— W3.org, HTTP/1.1 Status Code Definitions
Use the stricter HTTP 307 Temporary Redirect response for temporary redirection where the HTTP request method must be maintained.
Redirecting /register-form.html to /signup-form.html or /login.php to /signin php, for example.
Use the 303 See Other answer instead if you need to modify the redirect request method to GET.
For example, using a GET request to redirect a POST request from the /register.php page to the /success.html page.
Avoid utilizing the 302 Found redirect response unless your target audience uses legacy clients.
Internal HTTP 307 Redirect for HTTPS-Only Sites
If you have an HTTPS-only site (which you should), your browser will immediately redirect you to the secure https:// version if you visit it insecurely via ordinary http://. Typically, this occurs when the server responds with a 301 Moved Permanently redirect answer.
For example, you can view all the queries performed between the browser and the server if you go to http://citibank.com and open DevTools in Chrome and select the Network tab.
The first answer is 301 Moved Permanently, which sends the browser to the site’s HTTPS version.
A 301 Moved Permanently redirect to HTTPS version example
The HTTPS version is redirected with a 301 response.
We can see that the Location response header indicates what the secure URL for the redirection is if we look deeper into the Headers fields of the first request.
In-depth examination of the headers of the 301 response
The redirection URL is defined by the location response header.
The problem with this method is that malicious actors can use the network connection to redirect the browser to a different URL. This type of Man-in-the-Middle (MITM) attack is rather widespread. It was even parodied in one of the episodes of a popular TV show.
An MITM attack can also be launched without modifying the URL displayed in the browser’s address bar. For example, the user may be directed to a phishing page that seems identical to the legitimate site.
Most users will be delighted to punch in their credentials because everything seems the same, even the URL in the address box. You can see how this could be problematic.
Without HSTS 301 redirects to HTTPS, how unsafe HTTP requests are handled is not secure.
HTTP 307 Internal Redirects are secure redirects.
Let’s take the same scenario and apply it to Kinsta. As illustrated in the screenshot below, visiting GreggHosting results in network queries.
On Kinsta.com, an example of a 307 Internal Redirect.
A 307 Internal Redirect example
The site’s first request is similar to the previous example, except it results in a 307 Internal Redirect answer this time. By clicking on it, we can learn more about this reaction.
Note that if you go to the site directly with https://, you won’t see this header because your browser won’t need to redirect you.
Do you want to discover how we grew our traffic by over 1000%?
Join the 20,000+ people who receive our weekly email with WordPress insider secrets!
Now is the time to subscribe.
In-depth investigation of the 307 Internal Redirect response on Kinsta.com Response headers for the 307 Internal Redirect response
The Non-Authoritative-Reason: HSTS response header should be noted. The Strict Transport Security (HSTS) response header of HTTP is also known as the Strict-Transport-Security response header.
What Is HSTS (Strict Transport Security) and What Does It Mean?
In 2012, the Internet Engineering Task Force (IETF) ratified HTTP Strict Transport Security (HSTS), which requires browsers to use secure connections when a site is only accessible through HTTPS.
“I won’t even try to request this site or any of its resources through the insecure HTTP protocol,” Chrome or Firefox says. Instead, I’ll switch to HTTPS and give it another shot.”
You can get HSTS up and running on your WordPress website by following Kinsta’s advice on how to enable it.
HSTS’s handling of unsafe HTTP requests
With a 307 Internal Redirect answer, you’ll have more security.
We’ll gain a better idea by looking at the response header of the second request.
On the second request, verifying the HSTS response header
HSTS response header verification
The strict-transport-security: max age=31536000 response header may be seen here.
The strict-transport-security response header’s max-age attribute specifies how long the browser should stick to this pattern. This value is set to 3153600 seconds in the example above (or 1 year).
The browser will not even attempt to make a conventional HTTP request after a site delivers this response header. Instead, it’ll attempt again after a 307 Internal Redirect to HTTPS.
The response headers are reset each time this process is repeated. As a result, the browser will be unable to make an unsafe request indefinitely.
If you host your site with Kinsta, you may request that the HSTS header be applied to your WordPress site by submitting a support issue. It is advised that you enable HSTS for your site since adding the HSTS header improves performance.
What Is a HSTS Preload List, and Why Do I Need One?
Even with HSTS, there’s a major security flaw. The first HTTP request you make with your browser is insecure, repeating the Citibank issue.
Are you tired of having problems with your WordPress site? With Kinsta, you’ll get the best and fastest Hosting support! Take a look at our plans.
Furthermore, because the HSTS response header can only be provided over HTTPS, the original insecure request will be ignored.
HSTS includes a preload attribute in its response header to alleviate this issue. The goal is to compile a list of sites that require HSTS to be preloaded in the browser, completely circumventing the security issue.
Even if it’s viewing your site for the first time, adding your site to the browser’s HSTS preload list will inform it that your site follows a strict HSTS policy. Before asking anything else, the browser will utilize the 307 Internal Redirect response to redirect your site to its secure https:// scheme.
The 307 Internal Redirect response, unlike the 307 Temporary Redirect, is a “false header” set by the browser itself. It’s not coming from the server, the web host (such as Kinsta), or the content management system (CMS) (e.g. WordPress).
There are numerous benefits to adding a site to a HSTS preload list:
Insecure HTTP requests are never seen by the web server. This minimizes server load and improves site security.
The redirection from HTTP to HTTPS is handled by the browser, making the site faster and more secure.
Preload List Requirements for HSTS
If you want your site to be added to a browser’s HSTS preload list, it must meet the following criteria:
Install a valid SSL/TLS certificate on your domain.
Redirect all HTTP traffic to HTTPS to enforce tight HTTPS.
All subdomains, including the www subdomain, should be delivered over HTTPS if a DNS record for that subdomain exists.
An HSTS header with the following attributes should be included in your base domain:
At least 31536000 seconds must be specified in the max-age attribute (1 year).
These consist of
Preload directives and subdomains must be supplied.
The HSTS header, not the page it redirects to, must be included if you’re serving an additional redirect.
Important
It can be difficult and time-consuming to have your website removed from the HSTS preload list (up to 12 weeks or more). Only enable HSTS if you’re 100% committed to using HTTPS on your website. By filling out a form on hstspreload.org, you can have your site removed from the HSTS preload list.
Adding Your Site to the HSTS Preload List hstspreload.org has a submission form for the HSTS preload list.
Submission of the HSTS preload list
You can add your site to the HSTS preload list in two ways.
By submitting your website to a preload list directory maintained by HSTS. For example, the Chromium open source project maintains the hstspreload.org master list, which is utilized by most major browsers (Firefox, Chrome, Safari, IE 11 and Edge).
You can do this by using the following header field in your site:
max-age=63072000; includeSubDomains; preload Strict-Transport-Security: max-age=63072000; include SubDomains; preload
With the second option, the browser’s first visit to your site will not be completely safe. Subsequent visits, on the other hand, will be completely secure.
hstspreload.org has a submission form for the HSTS preload list.
Mozilla’s HSTS Preload List in action
You may check whether your site is enforcing HSTS using a free web tool like Security Headers. If you’re concerned about browser support for HSTS, rest assured that it’s supported by practically every browser currently in use.
CanIUse.com now supports the HSTS browser.
HSTS is well-supported by all major browsers.
HTTP 307 Redirects and SEO
Search engines do not update their index to incorporate this new URL because a 307 Temporary Redirect response indicates that the resource has temporarily relocated to a new URL. The original URL’s ‘link-juice’ is not passed on to the new URL.
301 Moved Permanently redirects, on the other hand, cause search engines to update their index to include the new URL and pass on the ‘link-juice’ from the old URL to the new URL.
Everything happens at the browser level with a 307 Internal Redirect response. As a result, it should have no direct impact on the SEO of your website. Adding your site to a HSTS preload list, on the other hand, makes it load faster and safer, which can help it rank better in search results.
Make sure you don’t accidentally send users and bots into an infinite redirection cycle, which would result in the ‘too many redirects’ issue.
HTTP 3xx redirect status codes come in a variety of forms. Today we’ll look at HTTP 307 Temporary Redirect status codes… meet you on the other side! 🛤
TO TWEET, CLICK HERE
Summary
You can assign multiple URL addresses to a webpage using URL redirection. HTTP 3xx redirect status code answers are the best approach to manage URL redirections at the server level. You can use a 307 Temporary Redirect response to temporarily redirect your site to another URL if it is down for maintenance or unavailable for other reasons.
As a result, any redirection adds to the time it takes for your website to load. As a result, employ redirections sparingly while always keeping the end user’s experience in mind.
Save time, money, and improve site performance by using:
Expert WordPress hosting assistance is available 24 hours a day, 7 days a week.
Integration with Cloudflare Enterprise.
With 29 data centers across the world, we can reach a global audience.
With our built-in Application Performance Monitoring, you can improve your performance.
All of this and more is included in a single plan that includes no long-term obligations, aided migrations, and a 30-day money-back guarantee. Check out our plans or speak with a sales representative to find the ideal plan for you.