skip to Main Content

For my research I need to cURL the fqdns and get their status codes. (For Http, Https services) But some http urls open as https although it returns 200 with cURL. (successful request, no redirect)

curl -I  http://example.example.com/
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Nov 2021 10:43:32 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 64991
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Link: <https://example.example.com/>; rel=shortlink
X-Powered-By: WP Engine
X-Cacheable: SHORT
Vary: Accept-Encoding,Cookie
Cache-Control: max-age=600, must-revalidate
X-Cache: HIT: 10
X-Cache-Group: normal
Accept-Ranges: bytes

As seen above I get 200 response with curl request. But I can see the 307 code in my browser. (available in the picture below)

Request URL: http://example.example.com/
Request Method: GET
Status Code: 307 Internal Redirect
Referrer Policy: strict-origin-when-cross-origin

Can I detect 307 code with curl? (-L parameter doesn’t work) Any suggestions?

2

Answers


  1. curl -w '%{response_code}n' -so /dev/null $URL
    

    It can be tested out like this:

    curl -w '%{response_code}n' -so /dev/null httpbin.org/status/307 
    

    so what is the 307 in the question?

    As Stefan explains here in a separate answer: that’s an internal message from Chrome that informs you that it uses HSTS. It is not an actual response code. Which is why curl can’t show it. Chrome should make that clearer.

    HSTS

    HSTS is a way for a HTTPS server to ask clients to not contact them over clear text HTTP again. curl also supports HSTS but then you need to use --hsts – and curl will still not confusingly claim any 307 response codes.

    Login or Signup to reply.
  2. The 307 http status isn’t actually a response that is sent by a server. It’s an internal redirect, something that your browser does for you before even sending the request to the server.
    That’s why it won’t show up in curl. It’s a feature of your browser. cURL is much more reliable when it comes to sending unaltered requests.

    A 307 (especially since you mention https redirects) internal redirect is usually encountered when dealing with the security feature of HSTS (HTTP strict-transport-security) where the whole purpose is to make sure that you never send unencrypted http requests to a server that wants to communicate via encrypted https.

    See this.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search