Stopping curl from sending Authorization header on 302 redirect
This has been fixed in curl 7.58.0. Specifically to avoid leaking the credentials to the redirect location.
With curl 7.58.0 it should work without making any changes. If you still want to pass through the credentials, you have to use the --location-trusted
option.
There are no workarounds for earlier versions except for not using the -L
option, parsing the Location
field yourself and doing a separate request to the new location. (as mentioned by Matt Houser)
You can find some more information on this change here.