Is HTTP POST request allowed to send back a response body?
It is perfectly acceptable to specify a response body and use the Location header at the same time. When using the Location header with a 201 response, you're not redirecting the client, you're just telling it where it can find the resource in future.
Redirects only apply to 3xx responses.
The W3C docs for this explain further, though the text is actually quite ambiguous:
The Location response-header field is used to redirect the recipient to a location other than the Request-URI for completion of the request or identification of a new resource. For 201 (Created) responses, the Location is that of the new resource which was created by the request. For 3xx responses, the location SHOULD indicate the server's preferred URI for automatic redirection to the resource.
I read that as saying "...redirect... or... identif[y]... new resource", but it's not exactly a plain English sentence.
Based on paragraph 9.5 of the HTTP 1.1 specification, which is the reference for questions like that, here is my understanding:
Yes you can, and the specification is clear about what you can do and how to do it:
The action performed by the
POST
method might not result in a resource that can be identified by a URI. In this case, either200
(OK) or204
(No Content) is the appropriate response status, depending on whether or not the response includes an entity that describes the result.If a resource has been created on the origin server, the response SHOULD be
201
(Created) and contain an entity which describes the status of the request and refers to the new resource, and a Location header (see section 14.30).Responses to this method are not cacheable, unless the response includes appropriate
Cache-Control
orExpires
header fields. However, the303
(See Other) response can be used to direct the user agent to retrieve a cacheable resource.