The Fix
Strip Authorization header whenever root URL changes to prevent credential leakage during redirects from HTTPS to HTTP.
Based on closed psf/requests issue #4716 · PR/commit linked
@@ -115,6 +115,22 @@ def get_redirect_target(self, resp):
return None
+ def should_strip_auth(self, old_url, new_url):
+ """Decide whether Authorization header should be removed when redirecting"""
+ old_parsed = urlparse(old_url)
repro.py
import BaseHTTPServer
import ssl
class Handler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', 'http://localhost:8000/')
self.end_headers()
self.wfile.write('')
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), Handler)
httpd.socket = ssl.wrap_socket (httpd.socket, server_side=True,
certfile='yourpemfile.pem')
httpd.serve_forever()
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Apply the official fix\nStrip Authorization header whenever root URL changes to prevent credential leakage during redirects from HTTPS to HTTP.\nWhen NOT to use: This fix is not applicable if the application requires retaining credentials across HTTP redirects.\n\n
Why This Fix Works in Production
- Trigger: rebuild_auth would strip the Authorization header if the scheme is changed from https to http.
- Mechanism: Authorization header was not stripped during HTTPS to HTTP redirects, leading to credential exposure
Production impact:
- If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).
Why This Breaks in Prod
- Authorization header was not stripped during HTTPS to HTTP redirects, leading to credential exposure
- Production symptom (often without a traceback): rebuild_auth would strip the Authorization header if the scheme is changed from https to http.
Proof / Evidence
- GitHub issue: #4716
- Fix PR: https://github.com/psf/requests/pull/4718
- Reproduced locally: No (not executed)
- Last verified: 2026-02-11
- Confidence: 0.70
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.57
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“From what I can tell by experiment, Firefox and Chromium treat http and https versions of a site as separate authentication realms, and don't automatically…”
“Yes @thinkt4nk, we’re currently coordinating a release with the urllib3 team.”
“Found something about it in RFC 7235, section 2.2”
Failure Signature (Search String)
- rebuild_auth would strip the Authorization header if the scheme is changed from https to http.
- The credentials that were intended to be sent over TLS were transmitted in plaintext with the redirected request.
Copy-friendly signature
signature.txt
Failure Signature
-----------------
rebuild_auth would strip the Authorization header if the scheme is changed from https to http.
The credentials that were intended to be sent over TLS were transmitted in plaintext with the redirected request.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
rebuild_auth would strip the Authorization header if the scheme is changed from https to http.
The credentials that were intended to be sent over TLS were transmitted in plaintext with the redirected request.
Minimal Reproduction
repro.py
import BaseHTTPServer
import ssl
class Handler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', 'http://localhost:8000/')
self.end_headers()
self.wfile.write('')
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), Handler)
httpd.socket = ssl.wrap_socket (httpd.socket, server_side=True,
certfile='yourpemfile.pem')
httpd.serve_forever()
What Broke
Credentials were transmitted in plaintext during HTTP redirects, risking security.
Why It Broke
Authorization header was not stripped during HTTPS to HTTP redirects, leading to credential exposure
Fix Options (Details)
Option A — Apply the official fix
Strip Authorization header whenever root URL changes to prevent credential leakage during redirects from HTTPS to HTTP.
When NOT to use: This fix is not applicable if the application requires retaining credentials across HTTP redirects.
Fix reference: https://github.com/psf/requests/pull/4718
Last verified: 2026-02-11. Validate in your environment.
When NOT to Use This Fix
- This fix is not applicable if the application requires retaining credentials across HTTP redirects.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.