js · @hapi/wreckHeads-up
@hapi/wreck: credential stripping now uses full-origin comparison
Wreck now compares scheme, host, and port (full origin) instead of hostname only when deciding to strip credential headers before following a cross-origin redir
What changed
Wreck now compares scheme, host, and port (full origin) instead of hostname only when deciding to strip credential headers before following a cross-origin redirect.
Who it affects
All users of @hapi/wreck prior to 18.1.2 who follow redirects and rely on credential stripping for security.
What to do today
Upgrade to version 18.1.2 or later, or set redirects:0 or use a beforeRedirect hook as a workaround.
The trail
Collected→
Audited→
Written→
Published