anderspitman
commented
2 years ago This is somewhat mitigated in v0.9.0. By using Client TLS tunnels, the raw TCP stream goes all the way to the upstream server. so hop-by-hop is bypassed. Would still be nice to have this for HTTPS tunnels though.
https://book.hacktricks.xyz/pentesting-web/abusing-hop-by-hop-headers
Currently we rather naively copy all headers from the downstream request. I would guess most of the hop-by-hop headers are already correctly being overwritten by Go's HTTP client, but maybe not.