Stopping curl from sending Authorization header on 302 redirect

Question

I am using curl to connect to a REST API. The REST API uses a Bearer token in the Authorization header. So my curl call looks like this:

curl -H "Authorization: Bearer <token>" https://www.example.com/api

This API has started returning a 302 redirect in response to my API call.

I added the -L option to instruct curl to follow the redirect:

curl -L -H "Authorization: Bearer <token>" https://www.example.com/api

Now curl does perform the redirect.

Here's the problem: curl is sending the custom Authorization header along with the redirect. I have verified this using the -v option so it shows me the headers it's sending.

The new server (Windows Azure I believe) actually fails the call with a 400 status code because it does not like the Authorization header. The redirected URL does not want an authorization header at all.

So, how can I get curl to not send my custom Authorization header on redirects? Or is there another way to specify the Authorization header that will avoid the issue.

Answer 1

This has been fixed in curl 7.58.0. Specifically to avoid leaking the credentials to the redirect location.

With curl 7.58.0 it should work without making any changes. If you still want to pass through the credentials, you have to use the --location-trusted option.

There are no workarounds for earlier versions except for not using the -L option, parsing the Location field yourself and doing a separate request to the new location. (as mentioned by Matt Houser)

You can find some more information on this change here.