Some parts of my website are accessible only through HTTPS (not the whole site is security and a trade-off), and that HTTPS is enforced with 302 redirects to requests to the protected part if they are sent over plain HTTP.
The problem for all major browsers is, if you redirect 302 to POST, it will automatically switch to GET (afaik this should only happen on 303, but nobody seems to care). An additional problem is that all POST data is lost.
So, what are my options here, besides accepting POST to protect the site via HTTP and then redirecting or changing the code load to make sure that all messages to protect part of the site go through HTTPS from the very beginning?
You are right, this is the only reliable way. The POST request should switch to an https connection from the very beginning. In addition, it is recommended that the form that leads to such a POST is also loaded via https. Usually the first form after that you have an https connection is the login form. All browsers apply different security restrictions for pages loaded via http or more https. Thus, this reduces the risk of executing some malicious scripts in a context that own some sensible data.
I think for what 307. RFC2616 says:
307 GET HEAD, , , , .
302, , .
, , , , RFC, , HTTP. :
, , , . , ( 3) POST ( 1), .
, , , , , . . , , , , , . , , .
, , , HTTPS (, , , ). , , - HTTPS. , HTTPS-? , . , , .