Review if we should stop adding Oauth2 secret on http header by default

Created by: abrahammartin

We should not use http ever by default and only use it if there is a settings that tell us (for example for development).

Expose a token on a HTTP header can have a risk of impersonation.