Fetch from origin if non-SSL request

The redirect you are referring to is not a redirect in the first place as that is something the browser runs internally. Firefox for example doesn’t show it.

Try it with a different browser or reset your Chrome and the first request shouldn’t show a 307.

1 Like

I see that Firefox is not showing a double redirect.
Safari is doing a 302 Found and then a 301.
Chrome is doing a 307 Internal Redirect and then a 301.

What’s up with Safari?!

Thank you for all your help.

Screen Shot 2020-06-11 at 1.53.10 PM

1 Like

Maybe Safari is doing a 302 internally as well.

Point is, for HTTP there is only one redirect :slight_smile:

$ curl -I http://www.daniweb.com/forums/thread123.html
HTTP/1.1 301 Moved Permanently
Date: Thu, 11 Jun 2020 20:52:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Location: https://www.daniweb.com/hardware-and-software/networking/threads/123/netware-is-solid
Vary: Accept-Encoding
CF-Cache-Status: EXPIRED
X-Content-Type-Options: nosniff
X-Powered-By: PHP/7.2.19
Server: cloudflare
alt-svc: h3-27=":443"; ma=86400
1 Like

Very strange that each browser does something completely different.

That being said, is your recommendation for HSTS to increase it to a year? There is no reason I could ever think of to go back to non-HTTPS. Are there additional benefits in increasing it to a year and then being included in hstspreload?

1 Like

The internal redirect is just your browsers way of telling you what is happening, and it’s not really a redirect.

1 Like

It probably does not really matter. You will need one year if you want to be “preloaded” but apart from that it really does not matter. Purely from a security point of view and if you do not plan to go back you might want to set the maximum period.

1 Like

I entered daniweb.com into the form at hstspreload.org (never heard of this site before you pointed it out to me) and I am getting the following error (aside from max-age too low):

http://daniweb.com (HTTP) should immediately redirect to https://daniweb.com (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.daniweb.com/. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.

Basically it’s telling me to implement a double redirect. I just went through all of this to get rid of a double redirect.

What do I do?! Can you point me to a resource that shows me the benefits of being accepted to the HSTS preload list? If I don’t meet the requirements, should I just turn off HSTS entirely in Cloudflare?

1 Like
1 Like

From a SEO perspective, you might want to follow Google’s own advice, start with a low max-age, monitor for issues, then increase gradually. Add site to preload list last (emphasis added by me):

  1. Roll out your HTTPS pages without HSTS first.
  2. Start sending HSTS headers with a short max-age. Monitor your traffic both from users and other clients, and also dependents’ performance, such as ads.
  3. Slowly increase the HSTS max-age.
  4. If HSTS doesn’t affect your users and search engines negatively, you can, if you wish, ask your site to be added to the HSTS preload list used by most major browsers.

from: https://support.google.com/webmasters/answer/6073543?hl=en

1 Like

Thanks! I have a plan in place now and everything is working as intended.

2 Likes

One final question.

On hstspreload.org, the last bullet point under Deployment Recommendations says:

Once you’re confident that there will be no more issues, increase the max-age to 2 years and submit your site to the preload list: […]

However, when I go to HSTS Settings within Cloudflare, the Max Age Header setting dropdown has a recommended default of 6 months, and only allows a maximum of 12 months.

I get that I can manually implement these headers instead of having Cloudflare do it for me, but if they’re going to offer HSTS functionality, shouldn’t Cloudflare have support for the hstspreload.org recommendations?

1 Like

The should, and I raised it with somebody a long, long time ago. As 12 months is enough to get added to HSTS preload lists they might see no benefit in making the change.

1 Like

The benefit is for people like me, who were not previously familiar with HSTS. Cloudflare’s settings suggest a recommended default of 6 months. However, that contradicts the bare minimum required for hsts preload. That leads to confusion. At a minimum, Cloudflare’s recommendation should meet minimum requirements.

1 Like

One thing that I’m not sure if it was mentioned here, but a 307 has no SEO impact at all, and is not considered a double redirect.

This is simply the browser noticing and fixing the URL internally, but there is no round trip to the web server (the web server doesn’t see these requests, at all).

Was mentioned earlier, but if that 307 comes from the server it still is a redirect. There were quite a few issues mixed up here but if there was a 307 then it appears to have been a browser one.

The 307 is likely from HSTS, and happening locally. This explains why different people in the thread were seeing different results, plus it was labelled as internal at one point.

Yes, we have established that a week ago :slight_smile:

Right. But what I didn’t see mentioned is that there is no negative SEO impact from these. I see people sometimes disabling HSTS to avoid 307 internal redirects, when in reality it improves time to paint vs an HTTP request that redirects to the final https:// in one shot.

e.g.

http://example.com/oldsite/test 301 to https://example.com/newsite/test

actually takes longer than the apparent double redirect of:

http://example.com/oldsite/test 307 to https://example.com/oldsite/test 301 to https://example.com/newsite/test

And of course the first single 301 can still be seen by browsers that don’t yet have HSTS cached for this domain, so that no more than a single request to the server is ever needed.

Fair enough, though the entire SEO panic regarding most things is exaggerated anyhow. It is not like a search engine will drop you because of a redirect. Firefox, for example, does not even show such a redirect but loads HTTPS straight away.

This topic was automatically closed after 30 days. New replies are no longer allowed.