Security: Custom auth headers via SetCommonHeader leak on cross-domain redirect #489
Description
Summary
Custom authentication headers set via SetCommonHeader() or SetHeader() (e.g., X-API-Key, X-Auth-Token) are forwarded to cross-domain redirect targets without being stripped.
Go's net/http only strips standard sensitive headers (Authorization, Cookie, Proxy-Authorization) on cross-domain redirects. The library's SetRedirectPolicy only counts redirects - it does NOT strip any headers.
Root Cause
middleware.go:528-540-parseRequestHeader()merges client headers into requestclient.go:334-CheckRedirectonly counts redirects, does not strip headers- Go stdlib only strips hardcoded headers, not custom auth headers
Impact
Users who use client.SetCommonHeader("X-API-Key", "secret") for API authentication are vulnerable to credential theft if the target server redirects to a different domain.
Suggested Fix
Add header stripping to the default redirect policy for known auth-pattern headers, or provide a SensitiveHeaders option.
Severity
CWE-200 | CVSS 7.4 High
AI-assisted source code review, manually verified.