Is it true that you cannot add/modified 307 header except Location? I'm trying to do that in Node.js and seems that newly added header 'X-Atlassian-Token': 'no-check' is not used by the client.
res.writeHead(307,
{
'Location': 'http://www.mytest.com?os_authType=basic',
'Content-Type': 'multipart/form-data',
'X-Atlassian-Token': 'no-check'
});
res.end();
Somebody has asked the same question on Stackoverflow and one person replied -
Is it possible to set some http headers while http-redirect(302 or 307)?
"Actually, through Java objects, you can set request properties but not headers. I am looking for an answer to this myself. I believe this is a deliberate restriction to prevent faking authentication tokens and other information sent through the headers. I will post a solution if I find one."
Is it true that you cannot add/modified 307 header except Location?
No, it's not true. Running your code shows a response including both the specified status code and the extra headers:
HTTP/1.1 307 Temporary Redirect
Location: http://www.mytest.com?os_authType=basic
Content-Type: multipart/form-data
X-Atlassian-Token: no-check
Date: Sat, 06 Jun 2015 13:40:41 GMT
Connection: keep-alive
Transfer-Encoding: chunked
If that's not having the effect you expect, see this other answer to the same question:
You should also ensure that your response headers refer to that response rather than the resource that the client is being redirected to.
That is, the X-Atlassian-Token: no-check header won't be carried across to the follow-up request (and, specifically, won't be sent by the client).