Following redirects

[Jan Algermissen]

Hi all,

thinking about 201 and 3xx responses and whether to trust HTTP Location headers, I am curious what people in this group think:

Suppose the server is using the Server-Authorization header introduced by Hawk. Do you think it makes sense to include the Location response header in the signature base string so the client can verify it's value before following the redirect?

Or should one simply discourage producing and following redirects for security reasons? Or at least mandate TLS?

Jan