Summary
Custom authentication headers set via SetCommonHeader() or SetHeader() (e.g., X-API-Key, X-Auth-Token) are forwarded to cross-domain redirect targets without being stripped.
Go's net/http only strips standard sensitive headers (Authorization, Cookie, Proxy-Authorization) on cross-domain redirects. The library's SetRedirectPolicy only counts redirects - it does NOT strip any headers.
Root Cause
middleware.go:528-540 - parseRequestHeader() merges client headers into requestclient.go:334 - CheckRedirect only counts redirects, does not strip headers- Go stdlib only strips hardcoded headers, not custom auth headers
Impact
Users who use client.SetCommonHeader("X-API-Key", "secret") for API authentication are vulnerable to credential theft if the target server redirects to a different domain.
Suggested Fix
Add header stripping to the default redirect policy for known auth-pattern headers, or provide a SensitiveHeaders option.
Severity
CWE-200 | CVSS 7.4 High
AI-assisted source code review, manually verified.
Summary
Custom authentication headers set via
SetCommonHeader()orSetHeader()(e.g.,X-API-Key,X-Auth-Token) are forwarded to cross-domain redirect targets without being stripped.Go's
net/httponly strips standard sensitive headers (Authorization,Cookie,Proxy-Authorization) on cross-domain redirects. The library'sSetRedirectPolicyonly counts redirects - it does NOT strip any headers.Root Cause
middleware.go:528-540-parseRequestHeader()merges client headers into requestclient.go:334-CheckRedirectonly counts redirects, does not strip headersImpact
Users who use
client.SetCommonHeader("X-API-Key", "secret")for API authentication are vulnerable to credential theft if the target server redirects to a different domain.Suggested Fix
Add header stripping to the default redirect policy for known auth-pattern headers, or provide a
SensitiveHeadersoption.Severity
CWE-200 | CVSS 7.4 High
AI-assisted source code review, manually verified.