microsoft · MIchaelMainer · Feb 27, 2026 · Feb 11, 2026 · Feb 11, 2026 · Feb 11, 2026
@@ -3,5 +3,6 @@
 		"Kiota"
 	],
 	"editor.formatOnSave": true,
-	"dotnet-test-explorer.testProjectPath": "**/*.Tests.csproj"
+	"dotnet-test-explorer.testProjectPath": "**/*.Tests.csproj",
+	"sarif-viewer.connectToGithubCodeScanning": "on"
 }
@@ -3,6 +3,7 @@
 // ------------------------------------------------------------------------------
 
 using System;
+using System.Collections.Generic;
 using System.Net.Http;
 using Microsoft.Kiota.Abstractions;
 
@@ -44,5 +45,12 @@ public int MaxRedirect
         /// A boolean value to determine if we redirects are allowed if the scheme changes(e.g. https to http). Defaults to false.
         /// </summary>
         public bool AllowRedirectOnSchemeChange { get; set; } = false;
+
+        /// <summary>
+        /// A collection of header names that should be removed when the host or scheme changes during a redirect.
+        /// This is useful for removing sensitive headers like API keys that should not be sent to different hosts.
+        /// The Authorization and Cookie headers are always removed on host/scheme change regardless of this setting.
+        /// </summary>
+        public ICollection<string> SensitiveHeaders { get; set; } = new List<string>();
     }
 }
@@ -41,7 +41,7 @@
        /// <param name="request">The <see cref="HttpRequestMessage"/> to send.</param>
        /// <param name="cancellationToken">The <see cref="CancellationToken"/>for the request.</param>
        /// <returns>The <see cref="HttpResponseMessage"/>.</returns>
        protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            if(request == null) throw new ArgumentNullException(nameof(request));

@@ -119,11 +119,28 @@
                             newRequest.RequestUri = new Uri(baseAddress + response.Headers.Location);
                         }
 
-                        // Remove Auth if http request's scheme or host changes
+                        // Remove Authorization and Cookie header if http request's scheme or host changes
                         if(!newRequest.RequestUri.Host.Equals(request.RequestUri?.Host) ||
                         !newRequest.RequestUri.Scheme.Equals(request.RequestUri?.Scheme))
                         {
                             newRequest.Headers.Authorization = null;
+                            newRequest.Headers.Remove("Cookie");
+
+                            // Remove any additional sensitive headers configured in the options
+                            if(redirectOption.SensitiveHeaders.Count > 0)
+                            {
+                                foreach(var header in redirectOption.SensitiveHeaders)
+                                {
+                                    newRequest.Headers.Remove(header);
+                                }
+                            }
+                        }
+
+                        // Remove ProxyAuthorization if no proxy is configured or the URL is bypassed
+                        var proxyResolver = GetProxyResolver();
+                        if(proxyResolver == null || proxyResolver(newRequest.RequestUri) == null)
+                        {
+                            newRequest.Headers.ProxyAuthorization = null;
                         }
 
                         // If scheme has changed. Ensure that this has been opted in for security reasons
@@ -160,7 +177,7 @@
            }
        }

        private bool ShouldRedirect(HttpResponseMessage responseMessage, RedirectHandlerOption redirectOption)
        {
            return IsRedirect(responseMessage.StatusCode) && redirectOption.ShouldRedirect(responseMessage) && redirectOption.MaxRedirect > 0;
        }
@@ -183,5 +200,48 @@
             };
         }
 
+        /// <summary>
+        /// Gets a callback that resolves the proxy URI for a given destination URI.
+        /// </summary>
+        /// <returns>A function that takes a destination URI and returns the proxy URI, or null if no proxy is configured or the destination is bypassed.</returns>
+        private Func<Uri, Uri?>? GetProxyResolver()
+        {
+            var proxy = GetProxyFromFinalHandler();
+            if(proxy == null)
+                return null;
+            return destination => proxy.IsBypassed(destination) ? null : proxy.GetProxy(destination);
+        }
+
+        /// <summary>
+        /// Traverses the handler chain to find the final handler and extract its proxy settings.
+        /// </summary>
+        /// <returns>The IWebProxy from the final handler, or null if not found.</returns>
+        private IWebProxy? GetProxyFromFinalHandler()
+        {
+#if BROWSER
+            // Browser platform does not support proxy configuration
+            return null;
+#else
+            var handler = InnerHandler;
+            while(handler != null)
+            {
+#if NETFRAMEWORK
+                if(handler is WinHttpHandler winHttpHandler)
+                    return winHttpHandler.Proxy;
+#endif
+#if NET5_0_OR_GREATER
+                if(handler is SocketsHttpHandler socketsHandler)
+                    return socketsHandler.Proxy;
+#endif
+                if(handler is HttpClientHandler httpClientHandler)
+                    return httpClientHandler.Proxy;
+                if(handler is DelegatingHandler delegatingHandler)
+                    handler = delegatingHandler.InnerHandler;
+                else
+                    break;
+            }
+            return null;
+#endif
+        }
     }
 }