HTTP traces currently include Cookie headers but exclude Authorization headers by default. We should consider excluding Cookie headers by default.
Comment From: JoeBeeton
As mentioned privately, The current configuration which is by default showing the cookies, has the potential to leak sensitive information if the http trace endpoint is enabled. We would very much like for this to not be enabled by default.
Comment From: philwebb
We'll look at doing this in 2.4.x
Comment From: philwebb
Closing in favor of PR #22829