Authorization header on redirect

Hackney send authorization header on redirect, similar issue as [CVE-2018-1000007](https://curl.se/docs/CVE-2018-1000007.html) in cURL.

[cURL](https://curl.se/docs/manpage.html) uses the flag `--location-trusted`. Should we implement something like this?

This can be seen on redirect to S3 from an API that needs `Authorization`.