Feat/handling authorization header leaks to third party servers on redirect

[Gopi-bruno]

Description

This PR introduces the forwardAuthorizationOnRedirect setting to prevent sensitive authentication headers (Authorization and Proxy-Authorization) from leaking to third-party/cross-origin servers during redirects.

Key Changes:

1. Redirect Security Logic (CLI & Electron):
   • Intercepted redirects in the Axios network layers (bruno-cli and bruno-electron).
   • If a request redirects to a different origin (cross-origin redirect) and forwardAuthorizationOnRedirect is set to false, the sensitive Authorization and Proxy-Authorization headers are stripped before following the redirect.
2. UI Settings Toggle:
   • Added a Forward Auth Headers on Redirect toggle under the request settings pane.
   • Newly created requests default this setting to false (secure by default).
   • Existing requests default to true (backward-compatible) to preserve current workflows unless explicitly updated by the user.
3. Schema & Typings Updates:
   • Updated bruno-schema, bruno-schema-types, and bruno-lang (bruToJson.js) to support the new request property.
   • Added ambient module augmentations in bruno-converters to support this setting on GraphQL and HTTP requests without modifying external dependency manifests.
4. Testing:
   • Added unit test suites for bruno-cli (packages/bruno-cli/tests/utils/axios-instance.spec.js) and bruno-electron (packages/bruno-electron/tests/network/axios-instance.spec.js) covering same-origin vs. cross-origin redirects with varying settings.
   • Added Playwright integration/E2E tests (tests/request/settings/redirect-auth-strip.spec.ts) using local redirect test routes.

Contribution Checklist:

• I've used AI significantly to create this pull request
• The pull request only addresses one issue or adds one feature.
• The pull request does not introduce any breaking changes
• I have added screenshots or gifs to help explain the change if applicable.
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Note: Keeping the PR small and focused helps make it easier to review and merge. If you have multiple changes you want to make, please consider submitting them as separate pull requests.

Publishing to New Package Managers

Please see here for more information.

Credits

Special thanks to @abhishek-bruno for the initial implementation and research of the cross-origin header stripping logic in #7578. This PR builds upon that implementation by adding the requested settings configuration for backward compatibility.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ef9d2700-e655-4628-ab0a-611bd0bc75d5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}