As far as I know, the first redirect 307 is automatically handled by Netlify. The second is redirects automatically to primary domain under Domain Management settings.
I have tried to add the grouped redirect in both __redirects and netlify.toml but none of them seems to work.
Looking at the HTTP status codes listed in Netlify’s documentation they don’t support 307 Temporary Redirect. Redirecting from http to https is best done with a permanent redirect.
Netlify automatically redirect http:// to https:// so you don’t need to add that to your redirects. Netlify also handles redirecting non-primary to primary domain e.g. if example.com is the primary domain request to www.example.com are automatically redirected.
Netlify automatically redirect http:// to https:// so you don’t need to add that to your redirects
Yes that is true, though the redirect is 307 as I have tested that on various sites.
Netlify also handles redirecting non-primary to primary domain e.g. if example.com is the primary domain request to www.example.com are automatically redirected.
a redirect to https://www.example.com/ occurs (one redirect to the SSL version of the URL and to the www subdomain all in a single redirect)
If so, this will never happen at Netlify. This is because that breaks the rules of the HSTS Preload list. The rule for HSTS Preload say this:
Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
That rule says the HTTP to HTTPS redirect have to keep the domain name the same. The reason for this is security. If the rule is not followed a malicious actor can hijack the HTTP request. This is how the hijacking would occur:
as SSL isn’t used a malicious intermediary can send a redirect to https://<evil website domain here>/
However, if the domain is on the HSTS Preload list, all browsers will detect that interference and block the redirect. The redirect must be to the same domain name and, if not, the browser will refuse the redirect preventing the hijacking of the HTTP requests.
For this reason, Netlify will always comply with this HSTS Preload rule. There will always be two redirects in this scenario at Netlify and there is no way to override this behavior here.