In ongoing project our SEO-team asked about investigating redirect from http links to https with status code 307. They asked to investigate it.
So what I did is check via Chrome to confirm that status is 307 - confirmedβ
Then checked via curl:
HTTP/1.1 308 Permanent Redirect
Date: Fri, 29 Sep 2023 07:18:39 GMT
Content-Type: text/html
Connection: keep-alive
Location: https://www.myawesomewebsite.com/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v3?s=P6yg%2BjejmGcvOb%2F3362PZw77jJcgK7iN9YBGi6Vk%2F%2FBFINno9PtWIrCnUgEh2%2FmK5pJCJ764%2BsSnldGXqHMd8zLzxrzweMuzYtJMlEG5uZPXsF1oDO9cNT9cIFbNzg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 80e274134b985b99-VIE
308 status when it should be 307 π€
Then checked more carefully at DevTools et voila π:
Cross-Origin-Resource-Policy: Cross-Origin
Location: https://www.myawesomewebsite.com/
Non-Authoritative-Reason: HSTS
So what Today I Learned:
HSTS header does automatic redirect on client-side from HTTP-> HTTPS (secure) connection protecting websites against man-in-the-middle attacks and cookie hijacking.
Example of how it can be set:Strict-Transport-Security : max-age=3600 ; includeSubDomains; preload
Helpful links:
https://stackoverflow.com/a/28595295
https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/