Review if we should stop adding Oauth2 secret on http header by default
Created by: abrahammartin
We should not use http ever by default and only use it if there is a settings that tell us (for example for development).
Expose a token on a HTTP header can have a risk of impersonation.