We recently had cause to tcpdump an http request from the http4 component to a web site. We were most surprised to find a load of exchange headers listed as HTTP "header: value" pairs.
A quick search on-line brings up a couple of Red Hat / Fuse documents saying that headers named 'Camel...' are not transmitted onwards, others are. Two concerns: 1. We see no documentation concerning this on the http4 component's page 2. There may be a great many applications deployed unintentionally transmitting internal headers to third parties potentially in breach of policy or legal restrictions without human knowledge I suggest adding a new option, CopyAllHeadersToHttpHeaders, defaulted to false. This would allow developers to "correct" their applications without code changes, and those taking advantage of this facility can switch it on explicitly. This isn't a Camel security vulnerability but I very much expect it to be leading to information leakage "out there". It is certainly not a behaviour we expected to see given the documentation. There may be other components that require similar attention. Thoughts? James
