From: Daniel Stenberg Date: Tue, 4 Feb 2025 09:25:12 +0000 (+0100) Subject: header.md: mention `Authorization:` and `Cookie:` special treatment X-Git-Tag: curl-8_12_1~83 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=448e71d1b730b9af1adcf83f8c6ab0902b30dbb2;p=thirdparty%2Fcurl.git header.md: mention `Authorization:` and `Cookie:` special treatment Fixes #16160 Reported-by: deliciouslytyped on github Closes #16164 --- diff --git a/docs/cmdline-opts/header.md b/docs/cmdline-opts/header.md index 17219f383b..66816aac53 100644 --- a/docs/cmdline-opts/header.md +++ b/docs/cmdline-opts/header.md @@ -55,10 +55,14 @@ among others and should be added with this option. You need --proxy-header to send custom headers intended for an HTTP proxy. (Added in 7.37.0) -Passing on a "Transfer-Encoding: chunked" header when doing an HTTP request +Passing on a `Transfer-Encoding: chunked` header when doing an HTTP request with a request body, makes curl send the data using chunked encoding. **WARNING**: headers set with this option are set in all HTTP requests - even after redirects are followed, like when told with --location. This can lead to the header being sent to other hosts than the original host, so sensitive headers should be used with caution combined with following redirects. + +`Authorization:` and `Cookie:` headers are explicitly *not* passed on in HTTP +requests when following redirects to other origins, unless --location-trusted +is used.