Parsing of X-Forwarded-For style HTTP headers should be disabled by default

The REST API parses "X-Forwarded-For" headers by default. Instead, it should do so only when explicitly configured to do so. This reduces the attack surface of an abuse vector.