If I set the header of the resource like first image,
when end users use a query, they can see this response in the developer tools.
The "Authorization" header is sanitized, but others are completely exposed.
This is a very dangerous security issue.
Many APIs use authentication via custom headers.
Please provide a sanitizing option for custom headers.