305 Use Proxy 3xx

What does 305 mean?

305 Use Proxy was originally defined to mean: "the resource you requested must be accessed through the proxy specified in the Location header." The idea was that a server could redirect a client not to a different resource, but to a different path (via a specific proxy) for reaching the same resource.

305 is now formally deprecated due to security concerns — the specification explicitly notes that browser vendors removed support for it after recognizing it could be exploited: a malicious or compromised response could instruct a client to route future traffic through an attacker-controlled proxy, a significant security risk.

How it behaved (historically)

• It included a Location header specifying a proxy URL
• Clients were expected to retry the request through that proxy
• Major browsers removed support for this behavior specifically because of the security implications of letting a server-controlled response dictate a client's proxy configuration

Why it's deprecated

The security issue is straightforward: if a response could instruct a client to "use this proxy for future requests," and that response could be forged, intercepted, or come from a compromised/malicious server, an attacker could effectively redirect a victim's traffic through a proxy they control — enabling interception of subsequent requests. This risk was significant enough that browser vendors simply stopped implementing 305's behavior, and the specification now formally deprecates it.

Common scenarios today

If you're building the API or website:

• 305 should not be used — it's deprecated, unsupported by modern clients, and exists in the specification primarily as a documented historical artifact with an explanation of why it's no longer appropriate

If you're calling an API:

• You're extremely unlikely to encounter 305 from any modern API — and if you did, a compliant modern client wouldn't act on it as originally specified anyway

If you're a website visitor:

• Not applicable — this isn't part of how modern browsers behave

SEO implications

None — 305 has no role in modern web content delivery.

FAQ

Why was 305 deprecated?

Because allowing a server response to dictate that a client should route future requests through a specific proxy created a significant security vulnerability — a malicious or compromised response could redirect a victim's traffic through an attacker-controlled proxy.

Do any modern browsers support 305's original behavior?

No — major browsers removed support for this specifically due to the security concerns described above, and the current HTTP specification formally deprecates the code.

Is 305 related to 407 (Proxy Authentication Required)?

Both relate to proxies, but differently: 407 is about authenticating with a proxy that's already part of the client's configured path. 305 was about a server instructing a client to start using a particular proxy — a fundamentally different (and, as it turned out, dangerous) concept.

Could 305 ever be safely used today?

Given that modern clients don't implement its original behavior and the specification deprecates it, there's no practical scenario where using 305 would have its originally-intended effect — any system relying on it would need entirely custom client/server implementations outside normal HTTP conventions.

Is 305 the only status code deprecated for security reasons?

It's one of the clearer examples — most other deprecated/obsolete codes (like 306, or 102's de-emphasis) faded due to lack of utility or better alternatives, whereas 305 was actively removed from clients specifically because of a security vulnerability its behavior enabled.

Fun fact

305 stands out in this entire reference as a status code that wasn't just under-used or superseded — it was actively judged dangerous enough that major browser vendors deliberately removed support for its defined behavior, making it one of the few examples in HTTP's history where security concerns directly resulted in a formal specification rolling back a previously-defined feature.