By default backdrop_http_request()
will strip sensitive request headers (Cookie, Authorization) when following a redirect if the redirect location has a different http host to the original request, or if the scheme downgrades from https to http. Sites can opt-out from this behavior by setting the strip_sensitive_headers_on_host_change
or strip_sensitive_headers_on_https_downgrade
configurations to FALSE in settings.php
as follows:
$config['system.core']['backdrop_http_request']['strip_sensitive_headers_on_host_change'] = FALSE; $config['system.core']['backdrop_http_request']['strip_sensitive_headers_on_https_downgrade'] = FALSE;
Introduced in branch:
1.x
Introduced in version:
1.27.2
Impacts:
Architects, Administrators, Editors
Module developers
Theme developers
Related Github Issues: