Struct RedirectConfig 

pub struct RedirectConfig {
    pub max_redirects: usize,
    pub same_origin_only: bool,
    pub allowed_redirect_hosts: HashSet<String>,
    pub strip_sensitive_headers: bool,
    pub allow_https_downgrade: bool,
}

Configuration for redirect behavior

Controls how the HTTP client handles 3xx redirect responses with security protections.

Security Features

• Same-origin enforcement: By default, only follows redirects to the same host
• Header stripping: Removes Authorization, Cookie on cross-origin redirects
• Downgrade protection: Blocks HTTPS → HTTP redirects
• Host allow-list: Configurable list of trusted redirect targets

Example

use modkit_http::RedirectConfig;
use std::collections::HashSet;

// Permissive mode for general-purpose clients
let config = RedirectConfig::permissive();

// Custom allow-list for trusted hosts
let config = RedirectConfig {
    same_origin_only: true,
    allowed_redirect_hosts: HashSet::from(["cdn.example.com".to_string()]),
    ..Default::default()
};

Fields

max_redirects: usize

Maximum number of redirects to follow (default: 10)

Set to 0 to disable redirect following entirely.

same_origin_only: bool

Only allow same-origin redirects (default: true)

When true, redirects to different hosts are blocked unless the target host is in allowed_redirect_hosts.

Security: This is the safest default, preventing SSRF attacks where a malicious server redirects requests to internal services.

allowed_redirect_hosts: HashSet<String>

Hosts that are allowed as redirect targets even when same_origin_only is true

Use this to allow redirects to known, trusted hosts (e.g., CDN domains, authentication servers).

Note: Entries should be hostnames only, without scheme or port. Example: "cdn.example.com", not "https://cdn.example.com".

strip_sensitive_headers: bool

Strip sensitive headers on cross-origin redirects (default: true)

When a redirect goes to a different origin (even if allowed), this removes:

• Authorization header (prevents credential leakage)
• Cookie header (prevents session hijacking)
• Proxy-Authorization header

Security: Always keep this enabled unless you have specific requirements.

allow_https_downgrade: bool

Allow HTTPS → HTTP downgrades (default: false)

When false, redirects from HTTPS to HTTP are blocked.

Security: Downgrades expose traffic to interception. Only enable for testing with local mock servers.

Implementations

impl RedirectConfig

pub fn permissive() -> Self

Create a permissive configuration that allows all redirects with header stripping

This is suitable for general-purpose HTTP clients that need to follow redirects to any host, but still want protection against credential leakage.

Note: This configuration still blocks HTTPS → HTTP downgrades.

pub fn disabled() -> Self

Create a configuration that disables redirect following

pub fn for_testing() -> Self

Create a configuration for testing (allows HTTP, permissive)

WARNING: Only use for local testing with mock servers.

Trait Implementations

impl Clone for RedirectConfig

fn clone(&self) -> RedirectConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for RedirectConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for RedirectConfig

fn default() -> Self

Returns the “default value” for a type.