header.md: mention `Authorization:` and `Cookie:` special treatment

author Daniel Stenberg <daniel@haxx.se>

Tue, 4 Feb 2025 09:25:12 +0000 (10:25 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Thu, 6 Feb 2025 10:40:56 +0000 (11:40 +0100)
author Daniel Stenberg <daniel@haxx.se>
Tue, 4 Feb 2025 09:25:12 +0000 (10:25 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Thu, 6 Feb 2025 10:40:56 +0000 (11:40 +0100)
diff --git a/docs/cmdline-opts/header.md b/docs/cmdline-opts/header.md

index 17219f383bd0b2135795c9c6c1efc7ea7bcfed83..66816aac538b3c00978b8f27f78022ba00754b30 100644 (file)
--- a/docs/cmdline-opts/header.md
+++ b/docs/cmdline-opts/header.md
@@ -55,10 +55,14 @@ among others and should be added with this option.
  You need --proxy-header to send custom headers intended for an HTTP proxy.
  (Added in 7.37.0)
  
-Passing on a "Transfer-Encoding: chunked" header when doing an HTTP request
+Passing on a `Transfer-Encoding: chunked` header when doing an HTTP request
  with a request body, makes curl send the data using chunked encoding.
  
  **WARNING**: headers set with this option are set in all HTTP requests - even
  after redirects are followed, like when told with --location. This can lead to
  the header being sent to other hosts than the original host, so sensitive
  headers should be used with caution combined with following redirects.
+
+`Authorization:` and `Cookie:` headers are explicitly *not* passed on in HTTP
+requests when following redirects to other origins, unless --location-trusted
+is used.
author	Daniel Stenberg <daniel@haxx.se>
	Tue, 4 Feb 2025 09:25:12 +0000 (10:25 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Thu, 6 Feb 2025 10:40:56 +0000 (11:40 +0100)