HTTP 497 not accepted as HTTP -> HTTPS redirect

Question

HTTP 497 not accepted as HTTP -> HTTPS redirect

reedy opened this issue 6 years ago · 3 comments

In nginx you can use a HTTP 497 as a way to redirect HTTP to HTTPS... Should this be supported by hstspreload.org? Or should I really be reconfiguring the server to use a 301?

Answer 1 · 2018-02-20T22:27:39.000Z

497 is an unofficial HTTP status code, and as far as I know is not recognized by any web browsers. From what I've read of the nginx documentation for that status code, it sounds like it's used to indicate an error when an HTTP request was sent to the HTTPS port (e.g. a plaintext request received on port 443 instead of a TLS ClientHello), and would be used in conjunction with the error_page directive.

If a server is intending to redirect a user from one location to another (e.g. from http to https), that server should be serving a redirect status code that browsers understand (a 3xx code), and for HSTS this redirect is permanent, hence the requirement for a 301. hstspreload.org should not support 497.

Answer 2 · 2018-02-21T00:45:42.000Z

I agree with @nharper's assessment.

301 and 308 are the appropriate standardized permanent redirect codes.

Answer 3 · 2018-02-21T10:27:18.000Z

Fair enough. Thanks for confirming :)