• LWP::UserAgent now strips Authorization and Proxy-Authorization headers
  on cross-origin redirects (a different scheme, host, or port) to prevent
  credential leakage to the redirect target. Same-origin redirects retain
  credentials. Opt out with allow_credentialed_redirects => 1.
  CVE-2026-8368 reported by Kai Zen; PoC and initial patch by Stig
  Palmquist.
  
• LWP::UserAgent now refuses https to http redirects by default to prevent
  leaking remaining request headers and bodies over plaintext. Opt in with
  allow_downgrade => 1. Related hardening alongside CVE-2026-8368; PoC by
  Stig Palmquist.