Adding headers to 307 redirection

Question

Is it true that you cannot add/modified 307 header except Location? I'm trying to do that in Node.js and seems that newly added header 'X-Atlassian-Token': 'no-check' is not used by the client.

    res.writeHead(307,
        {
            'Location': 'http://www.mytest.com?os_authType=basic',
            'Content-Type': 'multipart/form-data',
            'X-Atlassian-Token': 'no-check'
        });
    res.end();

Somebody has asked the same question on Stackoverflow and one person replied -

Is it possible to set some http headers while http-redirect(302 or 307)?

"Actually, through Java objects, you can set request properties but not headers. I am looking for an answer to this myself. I believe this is a deliberate restriction to prevent faking authentication tokens and other information sent through the headers. I will post a solution if I find one."

Answer 1

Is it true that you cannot add/modified 307 header except Location?

No, it's not true. Running your code shows a response including both the specified status code and the extra headers:

HTTP/1.1 307 Temporary Redirect
Location: http://www.mytest.com?os_authType=basic
Content-Type: multipart/form-data
X-Atlassian-Token: no-check
Date: Sat, 06 Jun 2015 13:40:41 GMT
Connection: keep-alive
Transfer-Encoding: chunked

If that's not having the effect you expect, see this other answer to the same question:

You should also ensure that your response headers refer to that response rather than the resource that the client is being redirected to.

That is, the X-Atlassian-Token: no-check header won't be carried across to the follow-up request (and, specifically, won't be sent by the client).