http – What are the security risks of trace context propagation headers?


We are implementing zipkin tracing in our product and have some hesitation about accepting and returning the propagation headers for publicly accessible http requests. The zipkin server itself is not publicly accessible. It seems very useful to have this information available to the front end, and the ids are all random and unique per request, but the information still feels sensitive somehow. What are the risks of exposing and accepting those headers?