On the other hand, keeping this option disabled by default means that almost all OpenStack deployments (because almost all of them use a reverse proxy in front of the APIs) need to set that option for all the OpenStack services using oslo.middleware.
So I guess there is a decision to make here. My opinion is that should ease the life of deployers with sensible defaults.
I agree!
https:/ /git.openstack. org/cgit/ openstack/ oslo.middleware /commit/ ?id=f62c3a74c07 238d91efb17e9ac 64373f08894490 explains it is disabled by default for security reasons. The rationale seems to be: headers are supposed to be saner behind a reverse proxy, so the risk of malformed malicious headers is lower. This rationale is valid in case of a security vulnerability in the parsing code.
On the other hand, keeping this option disabled by default means that almost all OpenStack deployments (because almost all of them use a reverse proxy in front of the APIs) need to set that option for all the OpenStack services using oslo.middleware.
So I guess there is a decision to make here. My opinion is that should ease the life of deployers with sensible defaults.