Handling incoming context propagation data

To support context propagation, OpenTelemetry‑compliant instrumentation libraries enable the W3C Trace Context and W3C Baggage propagators (tracecontext, baggage) by default.

Propagated values (for example, those received in HTTP request headers) should not be accepted from clients outside the service’s trust boundary. Accepting such values may allow external parties to influence instrumentation behavior.

Depending on your environment, this may be achieved by, for example:

• dropping these headers at the web application firewall (WAF) level
• customizing the OpenTelemetry SDK configuration, for example by using custom propagators that ignore incoming context (this may not apply in some scenarios, such as autoinstrumentation)