headers are not updated on RedirectResponse

[upeshjindal]

First Check

• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

@app.get("/source")
async def source():

    headers = {"Authorization": "Nothing"}
    return RedirectResponse(app.url_path_for("target"), headers=headers)


@app.get("/target")
async def target():

    return {"token": "Target"}

Description

I want to redirect to a target (main page) after login (source). The target needs to see the Authorization header so I add it just before redirecting. However, the header is not reflected when serving request at target.

I searched all over but could not find a solution to this.

Operating System

Linux

Operating System Details

Ubuntu 20.4

FastAPI Version

0.68.1

Python Version

3.8.10

Additional Context

No response

[ghandic]

TLDR: It is working, the headers are sent back to the client and the client follows the redirect and doesn't attach the additional headers. If you try running the following curl command you can see your headers.

curl -D - -X 'GET' \
  'http://127.0.0.1:8000/source' \
  -H 'accept: application/json'

This is by the design of the HTTP protocol believe, see this discussion on stack overflow

I'm afraid, all the answers are wrong and misleading!

It's impossible to redirect to a page with custom headers set, no matter what language or framework you use. In other words, there's no way to trigger an HTTP redirect and cause the client (browser) to add a custom header.

You might be thinking that using multiple header() calls should work just fine. But it won't. You're setting the custom headers for the response which is instructing the browser to redirect, not for the redirect itself.

The only way for a site to instruct a browser to issue an HTTP request with a custom header is to use Javascript and the XMLHttpRequest object. And it needs CORS implemented on the target server to allow such ajax requests.

Please note that a page can not set HTTP request headers unless it's making an async request using XMLHttpRequest. Meaning that you can't do such redirection with the custom header on the client-side as well.

If this helped to solve your issue, could you close it off to help others?

[upeshjindal]

@ghandic Sorry for replying late. This is pretty helpful! Thank you very much. I will close the issue.