307 Redirect to HTTPS Error When Accessing WEB in Chrome
Today when accessing a website, I suddenly encountered an error. It turned out that the website was being redirected to HTTPS, while the API service requests were still using HTTP. Chrome’s security policy intercepted this, causing the error.
Why did this HTTPS redirection suddenly appear? After investigation, I discovered it was caused by HSTS in Chrome.
Here’s a summary of the troubleshooting process for this issue.
307 Redirect
Through the Network tab, you can see that after the request is initiated, it gets a 307 redirect
to HTTPS. When making insecure HTTP requests under an HTTPS secure connection, the browser intercepts this, resulting in the error.
Who initiates the 307 redirect? In theory, either the backend server or the browser can do this. Checking the response, I found this header field:
Non-Authoritative-Reason: HSTS
Research revealed this is a browser security policy. After checking with operations and confirming that the service didn’t have HTTPS enabled, I determined this must be a local issue on my end.
HSTS
HTTP Strict Transport Security (HSTS) is an internet security policy mechanism published by the Internet Engineering Task Force. Websites can choose to use HSTS policy to force browsers to use HTTPS for communication with the website, reducing the risk of session hijacking.
This means that through HSTS settings, a domain can be forced to always use HTTPS for communication. My issue was that the browser had enabled HSTS for this domain.
Removing a Site from HSTS Domain List
Now that the problem is identified, how do you remove this site configuration?
- Visit chrome://net-internals/#hsts
- In the
Query HSTS/PKP domain
field, enter the target domain and click search. If it’s found, it confirms the security policy is active - In the
Delete domain security policies
field, enter the target domain and click delete
After successful deletion, when accessing the site via HTTP again, the HTTPS redirection issue should no longer occur.
Validity Period
I found that even after deleting the domain from HSTS, it might automatically switch back to HTTPS after some time, indicating there’s a validity period issue. I haven’t found a permanent solution yet - when this happens, just repeat the above operation.
Final Thoughts
This method is only for solving the issue where a website doesn’t have HTTPS enabled, but the browser forces HTTPS usage, causing errors.
Although this solves the problem, I still recommend implementing HTTPS, as it significantly improves security and is now considered a standard best practice for web development.