Use Proxy
Production Risk
High. It is deprecated and poses a security risk. Clients are unlikely to obey it, and its use could be a sign of a misconfiguration or attack.
Defined in a previous version of the HTTP specification to indicate that a requested response must be accessed by a proxy. It has been deprecated due to security concerns regarding in-band configuration of a proxy.
- 1An organization requires all HTTP traffic to go through a specific proxy server for monitoring or security.
- 2The server returns the address of the required proxy in the 'Location' header.
Within a restricted corporate network, a server instructs a client to re-request a resource through the official corporate proxy.
GET /resource HTTP/1.1 Host: internal.example.com
expected output
HTTP/1.1 305 Use Proxy Location: http://proxy.example.com:8080
Fix
Do not issue 305 — configure proxies out-of-band instead
WHEN If you encounter a 305 in a server codebase you are maintaining
# Remove any 305 responses from your server. # Configure proxy requirements via: # - HTTP_PROXY / HTTPS_PROXY environment variables # - Proxy Auto-Config (PAC) files via WPAD # - Corporate network routing rules
Why this works
305 was deprecated in RFC 7231 because allowing a server to redirect a client through an arbitrary proxy is a man-in-the-middle attack vector. Proxy configuration must happen through OS-level or network-level settings, not in-band HTTP responses.
✕
RFC 7231 (marking it as Deprecated)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/305 ↗Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev