HTTP 302 vs 307 — Temporary Redirect & Method Preservation Comparison

Quick Cheat Sheet

Aspect	302 Found	307 Temporary Redirect
Permanence	Temporary	Temporary
Method preservation	MAY change POST → GET	MUST preserve method
Cacheable by default	No	No
Body preservation	MAY drop	MUST preserve
Original spec	HTTP/1.0	HTTP/1.1 (RFC 2616, refined in 9110)

Why 307 Exists

Just like 308 was created to fix 301's method-preservation bug, 307 Temporary Redirect was introduced to fix the same problem with 302. The HTTP/1.0 specification allowed 302 to mean "follow this URL with the same method," but in practice browsers nearly always converted POST → GET, eventually making that the de facto rule.

307 is the strict, unambiguous version: the method, headers, and body MUST all be preserved.

The Method-Preservation Difference

If a client makes POST /api/foo and gets back:

• 302 Location: /api/bar → most clients re-issue as GET /api/bar (body lost, no Content-Type)
• 307 Location: /api/bar → all compliant clients re-issue as POST /api/bar with the original body

This is the only meaningful difference between the two codes.

When to Choose 307

Use 307 when:

• The redirect is for an API endpoint that accepts POST/PUT/PATCH/DELETE
• You need to preserve form data or JSON body across the redirect
• You're routing a webhook to a different endpoint based on payload inspection

Use 302 when:

• The redirect is for a GET-only web page (the vast majority of cases)
• You want the historical behavior of POST → GET conversion (rare but sometimes intentional)
• Maximum compatibility with truly ancient clients matters

OAuth and Single Sign-On

OAuth 2.0 and OIDC flows often involve redirecting authenticated POSTs across hosts. The OAuth spec recommends 303 (See Other) for the post-authorization redirect specifically because it forces a GET — you don't want the user's POST credentials forwarded to the redirect target.

When you genuinely want the method preserved (e.g., your auth proxy needs to internally redirect a POST without losing the body), 307 is the right choice.

Cacheability

Neither 302 nor 307 is cacheable by default — both are explicitly meant to be transient. If you need to cache a temporary redirect, send Cache-Control: max-age=N explicitly.

Real-World Example

A common API gateway pattern: incoming POST /webhooks is dynamically routed to one of several internal services based on a header. The gateway responds with 307 Location: https://internal-svc-2/webhooks so the original webhook payload (which can be a megabyte of JSON) is preserved.

If you used 302, the internal service would receive a GET with no body, breaking the webhook entirely.

Browser & Tooling Support

All modern browsers and HTTP clients (curl, requests, axios, fetch) correctly preserve method on 307. There are no significant compatibility issues today.