What s the difference between a 302 and a 307 redirect

Question

What s the difference between a 302 FOUND and a 307 TEMPORARY REDIRECT HTTP response   The W3 spec seems to indicate that they re both used for temporary redirects  and neither can be cached unless the response specifically allows it

User · Answer

In some use cases  307 redirects might be abused by an attacker to learn the victim s credentials   Further information can be found in section 3 1 of A Comprehensive Formal Security Analysis of OAuth 2 0   The authors of the above paper suggest the following      Fix  Contrary to the current wording in the OAuth standard  the exact method of the redirect is not an implementation detail but essential for the security of OAuth  In the HTTP standard  RFC 7231   only the 303 redirect is defined unambigiously to drop the body of an HTTP POST request  All other HTTP redirection status codes  including the most commonly used 302  leave the browser the option to preserve the POST request and the form data  In practice  browsers typically rewrite to a GET request  thereby dropping the form data  except for 307 redirects  Therefore  the OAuth standard should require 303 redirects for the steps mentioned above in order to fix this problem

User · Answer

307 came about because user agents adopted as a de facto behaviour to take POST requests that receive a 302 response and send a GET request to the Location response header   That is the incorrect behaviour  mdash  only a 303 should cause a POST to turn into a GET   User agents should  but don t  stick with the POST method when requesting the new URL if the original POST request returned a 302   307 was introduced to allow servers to make it clear to the user agent that a method change should not be made by the client when following the Location response header

User · Answer

EXPECTED for 302  redirect uses same request method POST on NEW URL  CLIENT POST OLD URL - gt  SERVER 302 NEW URL - gt  CLIENT POST NEW URL   ACTUAL for 302  303  redirect changes request method from POST to GET on NEW URL  CLIENT POST OLD URL - gt  SERVER 302 NEW URL - gt  CLIENT GET NEW URL  redirect uses GET  CLIENT POST OLD URL - gt  SERVER 303 NEW URL - gt  CLIENT GET NEW URL  redirect uses GET    ACTUAL for 307  redirect uses same request method POST on NEW URL  CLIENT POST OLD URL - gt  SERVER 307 NEW URL - gt  CLIENT POST NEW URL

User · Answer

A good example of the 307 Internal Redirect in action is when Google Chrome encounters a HTTP call to a domain it knows as requiring Strict Transport Security   The browser redirects seamlessly  using the same method as the original call

User · Answer

Originally there was just 302     Response What browsers should do     302 Found Redo request with new url     The idea is that   if you were doing a GET at some location  you would redo your GET to the new URL if you were doing a POST at some location  you would redo your POST to the new URL if you were doing a PUT at some location  you would redo your PUT to the new URL if you were doing a DELETE at some location  you would redo your DELETE to the new URL etc  Unfortunately every browser did it wrong  When getting a 302  they would always switch to GET at the new URL  rather than retrying the request with the same verb  e g   POST    Mosaic did it wrong Netscape copied the bugs in Mosaic  so they got it wrong Internet Explorer copied the bugs in Netscape  so they got it wrong  It became de-facto wrong  All browsers got 302 wrong  So 303 and 307 were created      Response What browsers should do What browsers actually do     302 Found Redo request with new url GET with new url   303 See Other GET with new url GET with new url   307 Temporary Redirect Redo request with new url Redo request with new url    In chart form The 5 different kinds of redirects   ------------------------------------------------------------                                 Switch to GET                                     ------------------------------------------------      Temporary             No                       Yes                ----------- ------------------------ -----------------------      No           308 Permanent Redirect    301 Moved Permanently      ----------- ------------------------ -----------------------      Yes          307 Temporary Redirect    303 See Other                            302 Found  intended       302 Found  actual         ------------------------------------------------------------   Alternatively      Response Switch to get  Temporary      301 Moved Permanently No No   302 Found  intended  No Yes   302 Found  actual  Yes Yes   303 See Other Yes Yes   307 Temporary Redirect No Yes   308 Permanent Redirect No No

User · Answer

301  permanent redirect  the URL is old and should be replaced  Browsers will cache this  Example usage  URL moved from  register-form html to signup-form html  The method will change to GET  as per RFC 7231   For historical reasons  a user agent MAY change the request method from POST to GET for the subsequent request   302  temporary redirect  Only use for HTTP 1 0 clients  This status code should not change the method  but browsers did it anyway  The RFC says   Many pre-HTTP 1 1 user agents do not understand  303   When interoperability with such clients is a concern  the 302 status code may be used instead  since most user agents react to a 302 response as described here for 303   Of course  some clients may implement it according to the spec  so if interoperability with such ancient clients is not a real concern  303 is better for consistent results  303  temporary redirect  changing the method to GET  Example usage  if the browser sent  POST to  register php  then now load  GET   success html  307  temporary redirect  repeating the request identically  Example usage  if the browser sent a POST to  register php  then this tells it to redo the POST at  signup php  308  permanent redirect  repeating the request identically  Where 307 is the  no method change  counterpart of 303  this 308 status is the  no method change  counterpart of 301    RFC 7231  from 2014  is very readable and not overly verbose  If you want to know the exact answer  it s a recommended read  Some other answers use RFC 2616 from 1999  but nothing changed   RFC 7238 specifies the 308 status  It is considered experimental  but it was already supported by all major browsers in 2016

User · Answer

302 is temporary redirect  which is generated by the server whereas 307 is internal redirect response generated by the browser  Internal redirect means that redirect is done automatically by browser internally  basically the browser alters the entered url from http to https in get request by itself before making the request so request for unsecured connection is never made to the internet  Whether browser will alter the url to https or not depends upon the hsts preload list that comes preinstalled with the browser  You can also add any site which support https to the list by entering the domain in the hsts preload list of your own browser which is at chrome   net-internals  hsts One more thing website domains can be added by their owners to preload list by filling up the form at https   hstspreload org  so that it comes preinstalled in browsers for every user even though I mention you can do particularly for yourself also    Let me explain with an example   I made a get request to http   www pentesteracademy com which supports only https and I don t have that domain in my hsts preload list on my browser as site owner has not registered for it to come with preinstalled hsts preload list   GET request for unsecure version of the site is redirected to secure version see http header named location for that in response in above image    Now I add the site to my own browser preload list by adding its domain in Add hsts domain form at chrome   net-internals  hsts  which modifies my personal preload list on my chrome browser Be sure to select include subdomains for STS option there  Let s see the request and response for the same website now after adding it to hsts preload list    you can see the internal redirect 307 there in response headers  actually this response is generated by your browser not by server  Also HSTS preload list can help prevent users reach the unsecure version of site as 302 redirect are prone to mitm attacks  Hope I somewhat helped you understand more about redirects

User · Answer

Also  for server admins  it may be important to note that browsers may present a prompt to the user if you use 307 redirect   For example   Firefox and Opera would ask the user for permission to redirect  whereas Chrome  IE and Safari would do the redirect transparently    per Bulletproof SSL and TLS  page 192

User · Answer

The difference concerns redirecting POST  PUT and DELETE requests and what the expectations of the server are for the user agent behavior  RFC 2616       Note  RFC 1945 and RFC 2068 specify that the client is not allowed to   change the method on the redirected   request   However  most existing user   agent implementations treat 302 as if   it were a 303 response  performing a   GET on the Location field-value   regardless of the original request   method  The status codes 303 and 307   have been added for servers that wish   to make unambiguously clear which kind   of reaction is expected of the   client    Also  read Wikipedia article on the 30x redirection codes

[http] What's the difference between a 302 and a 307 redirect?

Examples related to http

Examples related to redirect