Hi @MaryGoRound,

Indeed, we've been tightening up some of the security on a few of our services, and this is a setting in one of the load balancer products we use. When we tested launching this, there was no noticeable change in traffic patterns so it seems to only have affected a very small number of requests. It's also a setting that has been enabled on our website for over 6 months, so we felt pretty comfortable with it.

Can you tell me more about what library is defaulting to sending this header? It shouldn't be doing that, and I'm not sure if I can guarantee us not re-enabling this setting in the long term, so I suggest changing libraries or having them fix it upstream, but for now, it's been reverted.

Thank you, @travisbell ! We are currently using the latest version of the Apache HttpClient 4.5 series - which is sending the header. There is a newer version of the library - Apache HttpClient 5.4 series - which appears not to send the header on 'GET' requests - but we have not been able to simply update the library because it is not backwards compatible with the earlier version and we have numerous dependencies on HttpClient 4.5 from various other 3rd party libraries - and some of those do not have available updates at this time. We are doing our best to work through the various dependencies to get everything updated.

Ok, thanks for letting me know.