I'm using WEBAPI (asp.net) with vs2015.
In my web.config I have this rewrite url rule which redirects HTTP to HTTPS (I know I can do it via HSTS but that's not the point here):
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" enabled="true" stopProcessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true"/>
</conditions>
<action redirectType="Temporary" type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
The rule is working fine.
Also , I've created a self signed certificate and made chrome to trust it.
(es.com , is my localhost , via hosts file)
And it is trusted :
But Something is not clear to me.
When I use POSTMAN to make an HTTP request , I get a 307 redirect response header which redirects to HTTPS and it does send the Authorization header , I do see it in my webapi :
Here is the network tab:
The first request was HTTP , then server sends HTTPS redirect
and as you can see - WEBAPI did get the Authorization header. Here is the proof that the SECOND request did send the Authorization header :
Now fiddler.
I compose a new request to HTTP :
I do get a response with 307
But the second request doesn't send the authorization header :
And hence - WEBAPI doesn't get its value :
Questions
1 ) Why doesn't fiddler send the Authorization header ? And How can I make it send it
2 ) I think I read somewhere that Authorization headers is NOT being sent on redirects BY DESIGN. If so - does postman is working improperly ?
What am I missing here ?
NB I already know that I can create a custom header which will contain the authorization value , and it will be sent also on redirects. But that's not my question.
