Skip to content

Tier 2: use HttpClient.Redirect.NEVER to avoid forwarding the Authorization header on redirects #43

Description

@MarketDataApp

Tier 2 per SECURITY.md — a compatibility-affecting change; needs maintainer approval before merge. Surfaced by the security review behind #39.

Problem

The shared client is built with HttpClient.Redirect.NORMAL (HttpTransport.java:136). NORMAL correctly does not downgrade https→http, but it does follow same-scheme cross-host redirects, and java.net.http.HttpClient re-sends the original request headers — including Authorization — to the redirect target. If the API host ever emitted (via compromise/misconfig) a 3xx to https://attacker.example, the Bearer token would be forwarded.

Trigger: requires the API host itself to issue a malicious redirect — defense-in-depth against a hypothetical API-side compromise, not exploitable against a default user today.

Proposed fix (needs approval — Tier 2)

Set HttpClient.Redirect.NEVER and treat any 3xx as an error — this authenticated JSON API never legitimately needs redirects.

Why Tier 2

Changes runtime behavior: any endpoint that currently relies on a redirect would start failing. Low severity, so worth confirming no legitimate redirect exists before flipping.

Metadata

Metadata

Labels

enhancementNew feature or requestsecuritySecurity hardening or vulnerability

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions