uses auth_host to only send user+password to that particular site, usable if

Location: following takes "us" to other servers that should not get the
user and password