Endpoints should return 308 status rather than 301 on POST requests

[ghost]

Currently, the api issues a 301 response if a request arrives with a http scheme as opposed to an https scheme. The 301 status works fine for GET requests and forwards the request correctly, but for some user-agents a 301 status leads to a POST request being changed to a GET request.

A 308 response serves the same purpose as a 301, but leaves the method of the request intact, meaning that the POST request is served correctly. Here's a cURL request that you can try out:

curl -L -X POST -H "apca-api-key-id: KEY_ID_HERE" -H "apca-api-secret-key: SECRET_KEY_HERE" -H "Content-Type: application/json" --data '{"symbol":"V","qty":"1","side":"buy","type":"market","time_in_force":"gtc"} http://paper-api.alpaca.markets/v2/orders'

Because of the 301 status, the POST method in that request gets clobbered into a GET method after the redirect and we get an error

[ghost]

Here's the IEEE RFC for the 308 response: https://tools.ietf.org/html/rfc7238 In particular, note this section

Note: This status code is similar to 301 (Moved Permanently) ([RFC7231], Section 6.4.2), except that it does not allow changing the request method from POST to GET.

[umitanuki]

Make sense