This page should be opened via https://www.insert-script.com - not https://insert-script.com

This page showcases that the Authorization header is dropped by modern browsers in redirects but other custom headers like X-* (eg. X-CSRF are not) are not.

This behavior is relevant for client side path traversal where the subsequent API requests use the Authorization header or other custom headers and the API suffers from an open redirect.

- The rule is:
If the original request is not targeting a same origin endpoint - include the Authorization header in case of a redirect
If the original request is targeting a same origin endpoint - drop the Authorization header in case of a redirect

The following example will set a Authorization header and a X-CSRF header.
The first case targets an API on the same origin, which causes a redirect.
The secoond case targets the same API endpoint on insert-script.com, which is not considered same origin.
The response will be shown and shows that the authorization is being dropped.

Click to send a same origin request.

Click to send non-same origin request.

This page should be opened via https://www.insert-script.com - not https://insert-script.com

This page showcases that the Authorization header is dropped by modern browsers in redirects but other custom headers like X-* (eg. X-CSRF are not) are not.

This behavior is relevant for client side path traversal where the subsequent API requests use the Authorization header or other custom headers and the API suffers from an open redirect.

- The rule is: If the original request is not targeting a same origin endpoint - include the Authorization header in case of a redirect If the original request is targeting a same origin endpoint - drop the Authorization header in case of a redirect

- The rule is:
If the original request is not targeting a same origin endpoint - include the Authorization header in case of a redirect
If the original request is targeting a same origin endpoint - drop the Authorization header in case of a redirect