From 64d02a195a0c0f7a1b54a8d6e13605b3f0ed8de4 Mon Sep 17 00:00:00 2001
From: ashstrc <163244790+ashstrc@users.noreply.github.com>
Date: Fri, 3 Apr 2026 16:51:42 +0530
Subject: [PATCH] docs: improve beforeRedirect example to prevent credential
 leakage (#10624)

* docs: fix formatting and clarify beforeRedirect security note

* docs: fix code block formatting for beforeRedirect example

* docs: fix code block formatting for beforeRedirect example

* docs: fix code block formatting for beforeRedirect example

* docs: fix code block formatting for beforeRedirect example

---------

Co-authored-by: Jay <jasonsaayman@gmail.com>
---
 README.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index daf616fc..3cece816 100644
--- a/README.md
+++ b/README.md
@@ -552,12 +552,23 @@ These are the available config options for making requests. Only the `url` is re
   // to inspect the latest response headers,
   // or to cancel the request by throwing an error
   // If maxRedirects is set to 0, `beforeRedirect` is not used.
+
   beforeRedirect: (options, { headers }) => {
-    if (options.hostname === "example.com") {
+    if (
+      options.hostname === "example.com" &&
+      options.protocol === "https:"
+    ) {
       options.auth = "user:password";
     }
   },
 
+// Security note:
+// The beforeRedirect hook runs after sensitive headers are stripped during redirects.
+// Re-injecting credentials without checking the destination can expose sensitive data.
+// Only add credentials for trusted HTTPS destinations.
+// Avoid re-adding credentials on downgraded redirects.
+
+
   // `socketPath` defines a UNIX Socket to be used in node.js.
   // e.g. '/var/run/docker.sock' to send requests to the docker daemon.
   // Only either `socketPath` or `proxy` can be specified.