diff --git a/r5dev/thirdparty/curl/http.c b/r5dev/thirdparty/curl/http.c
index 22d45470..1ae60913 100644
--- a/r5dev/thirdparty/curl/http.c
+++ b/r5dev/thirdparty/curl/http.c
@@ -726,7 +726,7 @@ Curl_http_output_auth(struct connectdata *conn,
   if(!data->state.this_is_a_follow ||
      conn->bits.netrc ||
      !data->state.first_host ||
-     data->set.http_disable_hostname_check_before_authentication ||
+     data->set.allow_auth_to_other_hosts ||
      strcasecompare(data->state.first_host, conn->host.name)) {
     result = output_auth_headers(conn, authhost, request, path, FALSE);
   }
@@ -1645,6 +1645,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
                   checkprefix("Transfer-Encoding:", headers->data))
             /* HTTP/2 doesn't support chunked requests */
             ;
+          else if(checkprefix("Authorization:", headers->data) &&
+                  /* be careful of sending this potentially sensitive header to
+                     other hosts */
+                  (data->state.this_is_a_follow &&
+                   data->state.first_host &&
+                   !data->set.allow_auth_to_other_hosts &&
+                   !strcasecompare(data->state.first_host, conn->host.name)))
+            ;
           else {
             CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
                                                headers->data);
diff --git a/r5dev/thirdparty/curl/url.c b/r5dev/thirdparty/curl/url.c
index dd56cf55..499395c9 100644
--- a/r5dev/thirdparty/curl/url.c
+++ b/r5dev/thirdparty/curl/url.c
@@ -986,7 +986,7 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
      * Send authentication (user+password) when following locations, even when
      * hostname changed.
      */
-    data->set.http_disable_hostname_check_before_authentication =
+    data->set.allow_auth_to_other_hosts =
       (0 != va_arg(param, long)) ? TRUE : FALSE;
     break;
 
diff --git a/r5dev/thirdparty/curl/urldata.h b/r5dev/thirdparty/curl/urldata.h
index 3c94553a..dae2e7ae 100644
--- a/r5dev/thirdparty/curl/urldata.h
+++ b/r5dev/thirdparty/curl/urldata.h
@@ -1693,7 +1693,7 @@ struct UserDefined {
   bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
   bool http_follow_location; /* follow HTTP redirects */
   bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
-  bool http_disable_hostname_check_before_authentication;
+  bool allow_auth_to_other_hosts;
   bool include_header;   /* include received protocol headers in data output */
   bool http_set_referer; /* is a custom referer used */
   bool http_auto_referer; /* set "correct" referer when following location: */