Problem
The redirect support added in PR #1 follows redirects by default. When a redirect points to an untrusted host, curl will resend all headers, which can leak sensitive data such as API keys or bearer tokens. Redirect handling should be opt-in with safe defaults.
