Describe the bug

A custom authorization header, if present, is passed on redirect. This can leak auth tokens, and in many cases requests with unexpected authorization headers will be rejected.

Actual behavior

If a custom authorization header is added to options, and the request is redirected (302), the authorization header will be passed to the redirect location.

In my case, my app was using got to fetch a tarball from npm.pkg.github.com which redirected to pkg.githubusercontent.com, which rejected the request (400).

Expected behavior

curl does not forward custom authorization: https://curl.haxx.se/docs/CVE-2018-1000007.html

It is convenient that got follows redirects by default, but it should not forward authorization headers by default.

Workaround

Add a beforeRedirect hook to remove the authorization header.

Example: https://github.com/joebowbeer/regsync/blob/master/src/util.ts#L54

Checklist

• I have read the documentation.
• I have tried my code with the latest version of Node.js and Got.