By default backdrop_http_request() will strip sensitive request headers (Cookie, Authorization) when following a redirect if the redirect location has a different http host to the original request, or if the scheme downgrades from https to http. Sites can opt-out from this behavior by setting the strip_sensitive_headers_on_host_change or strip_sensitive_headers_on_https_downgrade configurations to FALSE in settings.php as follows:

$config['system.core']['backdrop_http_request']['strip_sensitive_headers_on_host_change'] = FALSE;
$config['system.core']['backdrop_http_request']['strip_sensitive_headers_on_https_downgrade'] = FALSE;
Introduced in branch: 
Introduced in version: 
Architects, Administrators, Editors
Module developers
Theme developers