Amazon AWS 307 response and permanent redirect to HTTPS


I have a domain from GoDaddy, with AWS Route53 for managing DNS records. Route53 sends request to a load-balancer.

For webserver I have a load-balancer that routes requests to a single (for now) EC2 instance and the nginx in EC2 instance get the request and sends a response to the client.

The problem is that when I use http:// to perform a request, AWS redirects requests to the https:// version of the domain with 307 Internal Redirect response. The response object has Non-Authoritative-Reason: HSTS header as well.

What’s the problem and which component is redirect requests?


It’s neither component.

This isn’t anything from AWS… it’s the browser. It’s an internal redirect the browser is generating, related to HSTS… HTTP Strict Transport Security.

If you aren’t doing it now, then presumably, in the past, you’ve generated a Strict-Transport-Security: header in responses from this domain, and the browser has remembered this fact, preventing you from accessing the site insecurely, as it is intended to do.

Leave a Reply