Why
Recent axios CVEs and patches show this is a real attack surface for HTTP clients. We should ship secure defaults.
Evidence
- axios #10660 — "unrestricted cloud metadata exfiltration via header injection chain".
- axios #10779 — "more header pollutions".
- axios #10794 — "clear stale header on redirect when target is no-proxy".
- axios #10795 — "fetch adapter is not enforcing max body or content length".
- axios #10707 (6 reactions) — SSRF / DoS / Metadata exfil concerns.
Defaults
- Header normalization — reject headers containing CR/LF early (HTTP request smuggling).
- Redirect handling — drop `Authorization`/`Cookie`/proxy headers on cross-origin redirect by default; option to preserve.
- Response size cap — `maxContentLength` honored on `fetch` adapter (axios bug). Default to `Infinity` for opt-in but document explicitly.
- No automatic protocol upgrade — explicit `http:` stays `http:` even if the server redirects to a non-https scheme that looks suspicious.
- SSRF guard hook — pluggable predicate `shouldRequest({ url })` so server-side users can block link-local/metadata IPs.
Constraints
- Defaults must be safe but not break the 80% case (cross-origin Authorization is sometimes intentional → opt-in flag).
- Document each default and the threat it mitigates.
Why
Recent axios CVEs and patches show this is a real attack surface for HTTP clients. We should ship secure defaults.
Evidence
Defaults
Constraints