mod_http_oauth2: Switch to '303 See Other' redirects This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is the only redirect code that guarantees the user agent will use a GET request, rather than re-submitting a POST request to the new URL. The latter would be bad for us, as we are encoding auth tokens in the form data.

<tr>
  <th>What is {x} {op} {y}?</th><td>
    <input name="captcha_challenge" type="hidden" value="{challenge}">
    <input name="captcha_reply" pattern="[0-9]+" required type="number">
  </td></tr>