The Fix
pip install urllib3==1.25
Based on closed urllib3/urllib3 issue #1510 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -8,6 +8,8 @@ dev (master)
* Upgraded ``urllib3.utils.parse_url()`` to be RFC 3986 compliant. (Pull #1487)
+* Remove Authorization header regardless of case when redirecting to cross-site. (Issue #1510)
+
* ... [Short description of non-trivial change.] (Issue #)
Option A — Upgrade to fixed release\npip install urllib3==1.25\nWhen NOT to use: Do not use this fix if the application relies on case-sensitive header handling for authorization.\n\n
Why This Fix Works in Production
- Trigger: Authorization headers were incorrectly forwarded during cross-site redirects, potentially exposing sensitive data.
- Mechanism: The library did not handle the 'authorization' header case-insensitively during cross-site redirects
- Why the fix works: Removes the Authorization header regardless of case when redirecting to cross-site, addressing issue #1510. (first fixed release: 1.25).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The library did not handle the 'authorization' header case-insensitively during cross-site redirects
- Production symptom (often without a traceback): Authorization headers were incorrectly forwarded during cross-site redirects, potentially exposing sensitive data.
Proof / Evidence
- GitHub issue: #1510
- Fix PR: https://github.com/urllib3/urllib3/pull/1511
- First fixed release: 1.25
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.75
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“#1346 fixes only "Authorization" header. "authorization" header isn't supported. RFC7230 section 3.2 "Header Fields" (https://tools.ietf.org/html/rfc7230#section-3.2) says the following. > Each header field consists of a case-insensitive fi”
Failure Signature (Search String)
- Authorization headers were incorrectly forwarded during cross-site redirects, potentially exposing sensitive data.
Copy-friendly signature
Failure Signature
-----------------
Authorization headers were incorrectly forwarded during cross-site redirects, potentially exposing sensitive data.
Error Message
Signature-only (no traceback captured)
Error Message
-------------
Authorization headers were incorrectly forwarded during cross-site redirects, potentially exposing sensitive data.
What Broke
Authorization headers were incorrectly forwarded during cross-site redirects, potentially exposing sensitive data.
Why It Broke
The library did not handle the 'authorization' header case-insensitively during cross-site redirects
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.25
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/1511
First fixed release: 1.25
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use this fix if the application relies on case-sensitive header handling for authorization.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.25 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.