Cross-origin redirect header stripping

The threat

When an HTTP client follows a redirect from origin-a.com to origin-b.com, credentials meant for origin A (cookies, authorization tokens) can leak to origin B. This is the class of vulnerability in CVE-2023-45857, where axios leaked the XSRF-TOKEN cookie to third-party hosts on redirect.

How parcely prevents it

parcely follows redirects manually (using redirect: 'manual' on fetch and walking the redirect chain). On each hop, if the new URL has a different origin from the previous one, all sensitive headers are stripped from the forwarded request.

Default sensitive headers

authorization
cookie
proxy-authorization
set-cookie
x-api-key

Customising the list

import { createClient } from '@parcely/core'

const http = createClient({
  baseURL: 'https://api.example.com',
  sensitiveHeaders: [
    'authorization',
    'cookie',
    'proxy-authorization',
    'set-cookie',
    'x-api-key',
    'x-internal-token', // your custom header
  ],
})

Security table reference

This corresponds to rows 3 and 4 in the security defaults table:

#	Defense	Default
3	Cross-origin redirect header stripping	Always on
4	Manual redirect walk with `maxRedirects`	`maxRedirects: 5`

Redirect limits

The manual redirect loop is bounded by maxRedirects (default 5). Exceeding this throws HttpError with code: 'ERR_TOO_MANY_REDIRECTS'.

const http = createClient({
  baseURL: 'https://api.example.com',
  maxRedirects: 10, // increase if needed
})

To disable redirect following entirely:

const http = createClient({
  baseURL: 'https://api.example.com',
  followRedirects: false,
})

The threat​

How parcely prevents it​

Default sensitive headers​

Customising the list​

Security table reference​

Redirect limits​