@poga in any case we'd be better served by whitelisting http headers per application rather than entrusting nothing bad will happen. too many special headers that can mess with the flow of web applications and people generally turn a blind eye to it all