The other day, Jack Stonehouse asked me on Twitter why I was using a 307 redirect from the HTTP to HTTPS version of this site. The answer was, I was not. But why was he getting a 307 redirect and not a 301 redirect?
As you remember, I migrated this site from HTTP to HTTPS in August. I wanted to score an A+ rating Qualys SSL Labs on security and the only way to do that was to enable HTTP Strict Transport Security with a long duration. So we set the header to read Header set Strict-Transport-Security "max-age=31536000" env=HTTPS, which means that if someone tries to force HTTP on this site, even in a year from now, it will force the browser (via cache) to go to HTTPS.
So if you visit this site on your browser via the non HTTP URL, and then come back, your browser tool, such as the Ayima chrome extension, will show a 307, because they don't handle the HTTP Strict Transport Security response properly. Here is a screen shot:
But if you use CURL, you get a 301 or if you use fetch as GoogleBot within Google Webmaster Tools, you get a 301:
So how did we configure this?
# if not ssl
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# if IS ssl
SetEnvIf X-Forwarded-Proto https HTTPS
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
You can learn more about HTTP Strict Transport Security on Wikipedia. But in short, the browser and redirect tools need to support this as more and more adopt this protocol.
When I asked John Mueller at Google about this, he was confused, as most people are. He asked me why I don't use a 301 redirect on Twitter.
I am assuming Google handles this as a 301 based on my digging into it.
Forum discussion at Twitter.
