Patrick,
I understand that any site that delivers API keys down to a client is allowing those keys to be captured by anyone who really wants to get them. However, HttpArchive makes it exceptionally easy to find the organizations that are taking this risk and enable gathering many instances of keys of API providers.
We know the Authorization header is designed to contain credentials, therefore if HttpArchive sees that header, it would be prudent not to store it, regardless of the wisdom of the site that put it there in the first place. I guess I'm saying two wrongs don't make a right.
Is it an significant change to the HttpArchive process to do this kind of filtering?
Darrel