docs: improve beforeRedirect example to prevent credential leakage (#10624)

* docs: fix formatting and clarify beforeRedirect security note * docs: fix code block formatting for beforeRedirect example * docs: fix code block formatting for beforeRedirect example * docs: fix code block formatting for beforeRedirect example * docs: fix code block formatting for beforeRedirect example --------- Co-authored-by: Jay <jasonsaayman@gmail.com>
2026-06-17 19:21:29 +03:00 · 2026-04-03 16:51:42 +05:30
parent 3ca13062ee
commit 64d02a195a
1 changed files with 12 additions and 1 deletions
@@ -552,12 +552,23 @@ These are the available config options for making requests. Only the `url` is re
  // to inspect the latest response headers,
  // or to cancel the request by throwing an error
  // If maxRedirects is set to 0, `beforeRedirect` is not used.
+
  beforeRedirect: (options, { headers }) => {
-    if (options.hostname === "example.com") {
+    if (
+      options.hostname === "example.com" &&
+      options.protocol === "https:"
+    ) {
      options.auth = "user:password";
    }
  },

+// Security note:
+// The beforeRedirect hook runs after sensitive headers are stripped during redirects.
+// Re-injecting credentials without checking the destination can expose sensitive data.
+// Only add credentials for trusted HTTPS destinations.
+// Avoid re-adding credentials on downgraded redirects.
+
+
  // `socketPath` defines a UNIX Socket to be used in node.js.
  // e.g. '/var/run/docker.sock' to send requests to the docker daemon.
  // Only either `socketPath` or `proxy` can be specified.