Comment 1 for bug 1590635

I agree!

https://git.openstack.org/cgit/openstack/oslo.middleware/commit/?id=f62c3a74c07238d91efb17e9ac64373f08894490 explains it is disabled by default for security reasons. The rationale seems to be: headers are supposed to be saner behind a reverse proxy, so the risk of malformed malicious headers is lower. This rationale is valid in case of a security vulnerability in the parsing code.

On the other hand, keeping this option disabled by default means that almost all OpenStack deployments (because almost all of them use a reverse proxy in front of the APIs) need to set that option for all the OpenStack services using oslo.middleware.

So I guess there is a decision to make here. My opinion is that should ease the life of deployers with sensible defaults.