add more unsignable headers

[cfbao]

Description

Add more unsignable headers, including the user-agent header.

• Fixes Should we skip the User-Agent header? #1208

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[cfbao]

API Gateway REST API (which uses CloudFront) always modifies "Via" and these three "X-Forwarded-*" headers. It also adds/modifies the "User-Agent" header if the incoming request doesn't have it or have it as an empty string.

[cfbao]

The more I look into this rabbit hole, the more I feel like allowing users to control which headers are signed would be a good idea.

The current list is still relatively conservative. If the user has a custom proxy in front of them, a lot more headers can be modified.

E.g.

• W3C's Guidelines for Web Content Transformation Proxies says there are more headers that are also fine for proxies to modify
• CloudFront also has a long list of things it may (or may not) do to request headers: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html

It's probably not a good idea to include all these possibilities in the built-in ignore list of this library.
Offloading such configuration to users would provide more flexibility and lessen maintenance burden.

If there's no other concerns, I'll look into adding some new overloads that accepts a header include/exclude list.

[FantasticFiasco]

I also think allowing the client to control this would be a splendid idea, but I don't have an idea of how to accomplish this yet. I'm currently engaged in another initiative, but would love to collaborate with you on this in a week or two, if you would like that?