Security
Header Filtering
Headers are often high-value debugging context and high-risk leakage surfaces at the same time. Filter aggressively.
Good candidates to remove by default:
authorizationcookieset-cookie- tenant or session headers that expose private identifiers
Keep only the headers that help explain routing, content negotiation, or request provenance.