307 Redirect to HTTPS Error When Accessing WEB in Chrome

· 2 min read

Today when accessing a website, I suddenly encountered an error. It turned out that the website was being redirected to HTTPS, while the API service requests were still using HTTP. Chrome’s security policy intercepted this, causing the error.

Why did this HTTPS redirection suddenly appear? After investigation, I discovered it was caused by HSTS in Chrome.

Here’s a summary of the troubleshooting process for this issue.

307 Redirect

Through the Network tab, you can see that after the request is initiated, it gets a 307 redirect to HTTPS. When making insecure HTTP requests under an HTTPS secure connection, the browser intercepts this, resulting in the error.

Who initiates the 307 redirect? In theory, either the backend server or the browser can do this. Checking the response, I found this header field:

Non-Authoritative-Reason: HSTS

Research revealed this is a browser security policy. After checking with operations and confirming that the service didn’t have HTTPS enabled, I determined this must be a local issue on my end.

HSTS

HTTP Strict Transport Security (HSTS) is an internet security policy mechanism published by the Internet Engineering Task Force. Websites can choose to use HSTS policy to force browsers to use HTTPS for communication with the website, reducing the risk of session hijacking.

This means that through HSTS settings, a domain can be forced to always use HTTPS for communication. My issue was that the browser had enabled HSTS for this domain.

Removing a Site from HSTS Domain List

Now that the problem is identified, how do you remove this site configuration?

  1. Visit chrome://net-internals/#hsts
  2. In the Query HSTS/PKP domain field, enter the target domain and click search. If it’s found, it confirms the security policy is active
  3. In the Delete domain security policies field, enter the target domain and click delete

After successful deletion, when accessing the site via HTTP again, the HTTPS redirection issue should no longer occur.

Validity Period

I found that even after deleting the domain from HSTS, it might automatically switch back to HTTPS after some time, indicating there’s a validity period issue. I haven’t found a permanent solution yet - when this happens, just repeat the above operation.

Final Thoughts

  1. This method is only for solving the issue where a website doesn’t have HTTPS enabled, but the browser forces HTTPS usage, causing errors.

  2. Although this solves the problem, I still recommend implementing HTTPS, as it significantly improves security and is now considered a standard best practice for web development.