isMiaHeaderInjected proxy headers if set in ADDITIONAL_HEADERS_TO_PROXY env

[davidebianchi]

Describe the bug
When I set isMiaHeaderInjected option to false, the header to proxy set in ADDITIONAL_HEADERS_TO_PROXY env are proxied if I use the http client in the request object.

Furthermore, if I set the mia headers inside the ADDITIONAL_HEADERS_TO_PROXY list, them are proxied anyhow.

Expected behavior
I expect to not proxy headers if I set this option.
We have 2 possibilities:

1. isMiaHeaderInjected do not forward proxy if set
2. add another options, to avoid to proxy all headers and not only the headers flagged as mia-headers

Desktop (please complete the following information):

• Version: 6.0.0

[fredmaggiowski]

I'd add an option that enables headers to proxy and by default will be disabled in the next major; what do you think about this?

[Danielecina]

I would put an option when we instantiate the httpClient that blocks the forward.
I don't know if I would just do mia-headers. I'd try to think of something that makes it more generic.
Maybe I'd do something that picks specific headers that we want to pass along !?

[davidebianchi]

@fredmaggiowski Why disable the headers to proxy by default? If you use the http client inside the request, you probably want to proxy headers by default. If not, you always can to disable it.

@Danielecina it is possible to pick headers already using the ADDITIONAL_HEADERS_TO_PROXY env var and use the client inside the request. Otherwise, if you instantiate the client directly, you always can add headers as options. I agree to use a more generic name for the option, maybe it could be changed with the future breaking of the lib.

I think that the question here is if there is some value to have two different options to manage differently headers to proxy and specific Mia headers to proxy. What do you think about?

[fredmaggiowski]

@fredmaggiowski Why disable the headers to proxy by default? If you use the http client inside the request, you probably want to proxy headers by default. If not, you always can to disable it.

Just to make sure that headers are not mistakenly proxied to external services as this may be security concerning