Skip to content

305 Use Proxy

Description

The 305 Use Proxy status code indicates that the requested resource must be accessed through the proxy specified in the Location field of the response. This status code is issued by the origin server to instruct the client to use a proxy for future requests to access the target resource.

This status code is rarely used in modern web applications due to security concerns. In fact, many clients (including most modern browsers) no longer implement the 305 status code correctly to prevent potential security vulnerabilities like cross-site request forgery.

The HTTP/1.1 specification (RFC 7231) states that the 305 status code is deprecated and should not be used by servers, as it has significant security risks.

Syntax

The server responds with a 305 Use Proxy status and includes the proxy location:

HTTP/1.1 305 Use Proxy
Location: http://proxy.example.com:8080
Content-Type: text/html
Content-Length: [length in bytes]

[Optional response body with information about the proxy requirement]

Examples

Basic Proxy Requirement Example

A client requests a resource that requires access through a specific proxy:

Client Request: 

GET /secure-resource HTTP/1.1
Host: example.com

Server Response: 

HTTP/1.1 305 Use Proxy
Location: http://proxy.example.com:8080
Content-Type: text/html
Content-Length: 183

<!DOCTYPE html>
<html>
<head>
  <title>Proxy Required</title>
</head>
<body>
  <p>This resource must be accessed through the corporate proxy at proxy.example.com:8080.</p>
</body>
</html>

Authenticated Proxy Example

A client attempts to access a resource that requires an authenticated proxy:

Client Request: 

GET /internal/documents HTTP/1.1
Host: intranet.example.org

Server Response: 

HTTP/1.1 305 Use Proxy
Location: http://auth-proxy.example.org:3128
Content-Type: text/html
Content-Length: 245

<!DOCTYPE html>
<html>
<head>
  <title>Authenticated Proxy Required</title>
</head>
<body>
  <p>This internal resource must be accessed through the authenticated corporate proxy at auth-proxy.example.org:3128.</p>
  <p>Please configure your browser to use this proxy with your network credentials.</p>
</body>
</html>

Summary

The 305 Use Proxy status code was designed to instruct clients to access resources through a specific proxy server. However, due to significant security concerns, this status code is now deprecated and rarely used in modern web applications. Most current browsers and HTTP clients ignore this status code or handle it in a limited way to prevent security vulnerabilities.

If you need to enforce proxy usage in a network, it's generally better to use network-level configurations (like proxy auto-configuration files or proxy settings pushed through group policies) rather than relying on the 305 status code. For API access control, other mechanisms like API gateways, VPNs, or authentication/authorization systems are more secure and widely supported alternatives.