1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Title: CURLOPT_UNRESTRICTED_AUTH 5Section: 3 6Source: libcurl 7See-also: 8 - CURLINFO_REDIRECT_COUNT (3) 9 - CURLOPT_FOLLOWLOCATION (3) 10 - CURLOPT_MAXREDIRS (3) 11 - CURLOPT_REDIR_PROTOCOLS_STR (3) 12 - CURLOPT_USERPWD (3) 13Protocol: 14 - HTTP 15--- 16 17# NAME 18 19CURLOPT_UNRESTRICTED_AUTH - send credentials to other hosts too 20 21# SYNOPSIS 22 23~~~c 24#include <curl/curl.h> 25 26CURLcode curl_easy_setopt(CURL *handle, CURLOPT_UNRESTRICTED_AUTH, 27 long goahead); 28~~~ 29 30# DESCRIPTION 31 32Set the long *gohead* parameter to 1L to make libcurl continue to send 33authentication (user+password) credentials when following locations, even when 34hostname changed. This option is meaningful only when setting 35CURLOPT_FOLLOWLOCATION(3). 36 37Further, when this option is not used or set to **0L**, libcurl does not 38send custom nor internally generated Authentication: headers on requests done 39to other hosts than the one used for the initial URL. 40 41By default, libcurl only sends credentials and Authentication headers to the 42initial hostname as given in the original URL, to avoid leaking username + 43password to other sites. 44 45This option should be used with caution: when curl follows redirects it 46blindly fetches the next URL as instructed by the server. Setting 47CURLOPT_UNRESTRICTED_AUTH(3) to 1L makes curl trust the server and sends 48possibly sensitive credentials to any host the server points to, possibly 49again and again as the following hosts can keep redirecting to new hosts. 50 51# DEFAULT 52 530 54 55# EXAMPLE 56 57~~~c 58int main(void) 59{ 60 CURL *curl = curl_easy_init(); 61 if(curl) { 62 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); 63 curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); 64 curl_easy_setopt(curl, CURLOPT_UNRESTRICTED_AUTH, 1L); 65 curl_easy_perform(curl); 66 } 67} 68~~~ 69 70# AVAILABILITY 71 72Along with HTTP 73 74# RETURN VALUE 75 76Returns CURLE_OK if HTTP is supported, and CURLE_UNKNOWN_OPTION if not. 77